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Rise  of  Hadoop 
challenging  for  IT 

BY  ANN  BEDNARZ  ~ 

HADOOP  IS  coming  out  of  the  shadows  and  into  produc¬ 
tion  in  IT  shops  that  are  drawn  to  its  ability  to  process  and 
analyze  extremely  large  volumes  of  data.  But  the  relative 
newness  of  the  open-source  platform  and  a  shortage  of 
experienced  Hadoop  talent  pose  technical  challenges  that 
enterprise  IT  teams  need  to  address. 

The  Hadoop  framework  grew  out  of  the  work  of  Doug  Cut¬ 
ting  and  Mike  Cafarella,  who  originally  developed  it  to  sup¬ 
port  Apache  Nutch,  an  open-source  search  engine.  It  became 
an  Apache  project  when  Cutting  and  a  team  of  engineers  at 
Yahoo  split  the  distributed  computing  code  out  of  the  Nutch 
crawler  to  create  Hadoop. 

Today  Hadoop  powers  every  click  at  Yahoo,  where  the 
Hadoop  production  environment  spans  more  than  42,000 
nodes.  That  kind  of  scalability  is  a  sweet  spot  of  Hadoop, 
which  is  designed  to  handle  data-intensive  distributed 
applications  spanning  thousands  of  nodes  and  exabytes  of 
data,  with  a  high  degree  of  fault  tolerance. 

►  Sec  Hadoop,  page  32 
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CLEAR  CHOICE  TE<T^ 

IPv6  deployments 
start  at  network's  edge 


Six  Application  Delivery  Controllers 
deliver  IPv6  capabilities  to  apps  hosted 


Smarter  technology  for  a  Smarter  Planet: 

How  3.8  million  tailored  messages 
made  sales  numbers  look  fantastic,  too. 


Japanese  fashion  retailer  Start  Today  took  an  IBM  smarter  commerce  approach  to  their  business,  helping  increase 
annual  sales  on  their  Zozotown  Web  site  by  54.2%.  Their  customer-centric  focus  uses  Netezza®  and  Unica®  to  rapidly 
analyze  massive  amounts  of  data,  letting  them  create  personalized  messages  for  each  of  their  3.8  million  customers. 
Results?  The  solution  helped  increase  the  e-mail  open  rate  by  five  times  and  the  conversion  rate  by  nearly  1,000%. 
Smarter  commerce  is  built  on  smarter  software,  systems  and  services. 


Let’s  build  a  smarter  planet,  ibm.com/personalize 
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FROM  THE  EDITOR  JOHN  DIX 


6  Bits  Comments, 
Blogs  and  Online 


Apple  tops  the 
$100B+  tech  club 


en  years  ago  Apple  posted  revenue  of  $5.3 
billion,  a  mere  gnat  compared  to  the  IBM  elephant 
which  topped  all  tech  companies  with  sales  of 
$85.8  billion. 

Oh,  how  the  tables  have  turned. 

Apple’s  sales  have  now  surpassed 
those  of  HP,  IBM,  and  even  AT&T 
'and  Verizon,  two  companies  that  helped 
propel  Apple  to  the  top  of  the  elite  club  of  tech  companies 
that  have  more  than  $100  billion  in  sales. 

The  fiscal  years  of  the  largest  tech  companies  don’t 
neatly  align  so  it  requires  a  little  work  to  get  a  sense  of 
how  they  compare.  Apple’s  fiscal  2011  ended  Sept.  24, 
with  the  company  posting  $108  billion  in  revenue  and  $26  billion  in  net  profits.  But 
if  you  slide  the  12-month  view  forward  a  quarter  so  it  spans  fiscal  2011 Q2,  Q3,  Q4 
and  the  all-important  holiday  month  in  Apple’s  2012  fiscal  Q1  (ended  Dec.  31),  the 
company  recorded  sales  of  $127.6  billion  and  profits  of  $32.8  billion. 

That  edges  out  HP  as  the  top  tech  dog,  which  finished  its  fiscal  2011  year  Oct.  31 
with  sales  of  $127.2  billion  and  an  operating  profit  of  $9.7  billion. 

But  that  still  leaves  a  little  discrepancy  in  timing,  so  let’s  dig  deeper.  HP  won’t 
announce  its  first-quarter  results  (for  the  period  ending  Jan.  31)  until  later  this 
month,  nor  does  the  company  give  sales  guidance,  but  the  consensus  expectation 
of  25  analysts  tracked  by  Bloomberg  Businessweek  is  that  sales  will  be  down  5%  for  the 
quarter  to  $30.8  billion,  meaning  sales  on  a  trailing  12-month  basis  as  of  the  end  of 
January  will  be  about  $125.7  billion. 

Apple,  on  the  other  hand,  has  forecast  sales  will  be  up  32%  in  the  next  quarter, 
so  a  little  math  indicates  sales  on  a  trailing  12-month  basis  as  of  the  end  of  January 
were  $130.2  billion.  The  baton  has  officially  been  passed. 

And  what  of  mighty  IBM?  Big  Blue  is  on  a  calendar  year  and  reported  in  late 
January  that  it  finished  2011  with  sales  up  7%  to  $106.9  billion,  some  $20  billion 
behind  Apple  for  the  same  12-month  period.  And  even  though  IBM  can  hold  its 
head  high  because  its  lusty  15%  profit  margin  dwarfs  what  HP  squeezes  out  of 
sales,  it  can’t  hold  a  candle  to  Apple’s  25%  margin. 

AT&T,  for  its  part,  racked  up  sales  of  $126.7  billion  for  the  calendar  year,  just 
behind  those  of  Apple.  In  its  earnings  release  posted  in  late  January,  AT&T 
reported  it  activated  more  than  7.6  million  iPhones  in  the  fourth  quarter,  the  major¬ 
ity  of  which  were  4S  phones  that  didn’t  even  go  on  sale  until  Oct.  14.  AT&T’s  total 
wireless  subscriber  base  is  now  103.2  million.  Verizon  is  also  in  the  $100  billion- 
plus  club,  with  2011  sales  of  $110.9  billion  and  108.7  million  wireless  subscribers. 

But  Apple  leads  the  pack.  All  hail  the  new  tech  titan. 
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Apple  in  the  enterprise 

©  I  LOVE  APPLE  products  but  I  can’t 
imagine  having  to  do  IT  with  them  on  an 
enterprise  level.  The  problem  we  have, 
however,  is  twofold  (Re:  “Apple  forc¬ 
ing  IT  shops  to  ‘adapt  or  die’”;  tinyurl. 
com/7ad4rtz): 

1.  We  as  IT  people  are  beholden  to  our 
users.  If  everyone  is  clamoring  for  an 
iPad  and  we  give  them  Galaxy  Tabs,  to  an 
extent  we  aren’t  doing  our  jobs.  Mostly 
because  they  are  now  unable/unwilling 
to  do  theirs. 

2.  People  are  inflexible.  If  I  named  every¬ 
one  I  knew  in  real  life  who  was  capable  of 
working  on  a  Mac  and  a  Windows  envi¬ 
ronment  I  wouldn’t  use  up  all  10  fingers. 

The  same  way  gentrification  hurts  the 
poor  by  placing  their  homes  out  of  their 
living  means,  so  to  do  we  hurt  the  “plebs” 
by  simply  forcing  them  off  their  Apple 
products. 

thewolfkin 

Breaking  down  LTE  spectrum 

©  I  WANTED  TO  commend  the  author  on 
an  excellent  article.  I  read  it  in  the  print 
version  of  Network  World 
and  learned  a  great  deal 
(Re:  “LTE  spectrum: 

How  much  do  the  big 
carriers  have?”  tinyurl. 
com/7nnwc38). 

I  consider  myself  a 
complete  layman  when 
it  comes  to  wireless 
spectrum.  I  appreci¬ 
ated  the  author’s  expla¬ 
nation  of  why  AT&T 
was  trying  to  purchase 
T-Mobile.  Previously  I 
was  completely  against 
the  idea,  thinking  that 
it  was  the  Death  Star 
trying  to  assimilate  the 
competition  (sorry  for  mixing  meta¬ 
phors),  but  now  I  realize  that  AT&T  was 
struggling  to  purchase  bandwidth. 

Charles  Waters 

Network  of  the  future 

©  I  AM  LOOKING  forward  to  the  day  that 
the  network  is  no  longer  geographical, 
and  when  boundary  devices  such  as  rout¬ 
ers  and  firewalls  exist  in  the  cloud  (Re: 
‘Highly  anticipated  net  virtualization 
startup  Nicira  exits  stealth  mode”;  tinyurl. 
com/8xjmsuy). 


This  will  be  the  day  when  users  can  boot 
their  laptops  (into  a  secure  encrypted  vir¬ 
tual  machine)  at  a  hotel  and  authenticate 
on  the  corporate  active  directory  (or  its 
replacement),  all  seamlessly  without  ever 
launching  a  VPN  or  other  connector  pro¬ 
gram.  Where  subnets  and  security  will  be 
based  on  role  rather  than  geography. 

David  Lapham 

AT&T  users'  'unlimited'  data 

©  SURE,  AT&T  HAS  “no  legal  obligation  to 
support  unlimited  data”. . .  I’m  sure  the 
company  verified  that  with  its  lawyers 
before  it  began  reneging  on  its  offer. 
Integrity  is  not  legally  required  by  any 
company  unless  it  wants  to  keep  loyal 
users  loyal  (Re:  “AT&T  users  report  get¬ 
ting  throttled  at  2GB  despite  ‘unlimited’ 
data  plans”;  tinyurl.com/7qkuqp6). 

While  I  admit  it  would  have  still  been 
a  difficult  pill  to  swallow,  I  would  much 
rather  AT&T  officially  discontinued  the 
unlimited  data  plan  altogether,  forcing 
me  to  change  plans  legitimately,  rather 
than  intentionally  deceive  me  with  false 
promises.  Those  false  promises  are  what 
convinced  me  to  select 
its  product  in  the  first 
place. 

Robert  Corwin 

Best  UC  solution? 

©THEMOSTTELLING 

part  of  this  analysis 
is  the  line  “the  phone 
drives  much  of  the 
decision”  for  voice. 
Straight  from  “1984,” 
looking  at  the  past 
instead  of  the  future 
(Re:  “The  When, 

Where  and  How  of 
Cisco  vs.  Microsoft  for 
Unified  Communica¬ 
tions”;  tinyurl.com/8yb6rmy). 

Voice  is  just  one  more  way  to  communi¬ 
cate,  and  organizations  see  reduced  voice 
usage  once  they  deploy  integrated  IM, 
conferencing,  voice  and  email  solutions. 

Video?  Still  waiting  for  end  users  to 
adopt  and  use  it  at  the  desktop  level.  All 
hype,  no  traction.  Seeing  a  person  is  less 
important  than  seeing  the  content  to  col¬ 
laborate  on.  A  UC  solution  without  native, 
integrated  Web  conferencing  is  missing 
the  most  integral  part  of  a  UC  solution. 

Andrew  Ehrensing 


Integrity  is 
not  legally 
required  by 
any  company 

unless  it  wants 
to  keep  loyal 
users  oyal. 
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The  strategic  bridge  between  your 
data  center  and  your  business?  You. 

Only  StruxureWare  for  Data  Centers  enables  a  healthy, 
business-driven  data  center. 


Tap  into  the  health  of  your  data  center. 

As  an  IT  or  data  center  manager,  you  know  that  doing  your  job  well  means  saving 
your  company  both  time  and  money.  Today,  there  finally  is  a  way  for  you  to  be 
completely  tapped  into  the  overall  health  of  your  data  center.  StruxureWare™  for 
Data  Centers  gives  you  visibility  across  your  entire  data  center  infrastructure  so  you 
can  make  informed  decisions  —  not  arbitrary  ones  —  about  your  infrastructure. 

For  example,  you  can  plan  proactively  for  needed  capacity  and  streamline  workflow 
management  to  improve  your  business  agility  and  availability.  In  fact,  now  more  than 
ever,  infrastructure  decisions  are  business  decisions. 

An  always  available,  efficient  data  center. 

What’s  more,  StruxureWare  for  Data  Centers  communicates  in  real-time  with  the 
leading  virtualization  platforms:  VMware  vSphere™  and  Microsoft®  System  Center 
Virtual  Machine  Manager.  The  software’s  built-in  automated  response  capabilities 
ensure  that  virtual  loads  always  have  healthy  host  environments.  With  your  VMs 
on  healthy  hosts,  you  can  focus  on  running  your  data  center  more  efficiently.  The 
software  also  gives  insight  into  PUE/DCiE  trending  over  time,  enabling  you  to  make 
intelligent  energy  management  decisions.  With  StruxureWare  for  Data  Centers 
planning  and  reporting  capabilities,  who’s  the  company  hero  now?  You  are! 


APC™  by  Schneider  Electric™  is  the  pioneer  of  modular  data  center  infrastructure  and  innovative 
cooling  technology.  Its  products  and  solutions,  including  InfraStruxure™.  are  an  integral  part  of  the 
Schneider  Electric  IT  portfolio. 


by  Schneider  Electric 


Microsoft Partner 

Systems  Management 


vmware- 

PARTNER 

TECHNOLOGY 

ALLIANCE 


Tap  the  business  value  of  your  data  center! 

Learn  how  in  our  management  software  white  paper. 

Visit  www.SEreply.com  Key  Code  I279v  Call  888-289-2722  x6351 


StruxureWare 

Now,  make  informed  decisions  about 

your  infrastructure: 

>  Plan  proactively  for  needed  capacity. 

>  Blueprint  data  center  expansions 
and  consolidations. 

>  Streamline  workflow  management  of  your 
IT  physical  infrastructure  to  improve  your 
business  agility  and  availability. 

>  Make  changes  knowing  how  they  will  affect 
your  business. 

>  Visualize  change/capacity  scenarios  to 
improve  your  bottom  line. 

>  View  your  current  and  historic  PUE/DCiE 
and  energy  costs  of  subsystems  to  make 
intelligent  energy  management  decisions. 


Schneider 

^Electric 


©2012  Schneider  Electric.  All  Rights  Reserved.  Schneider  Electric,  APC.  StruxureWare,  and  InfraStruxure  are  trademarks  owned  by  Schneider  Electric 
Industries  SAS  or  its  affiliated  companies.  All  other  trademarks  are  the  property  of  their  respective  owners.  •  998-4 108_GMA-US 
132  Fairgrounds  Road,  West  Kingston.  Rl  02892  USA 
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Google  Chrome  knows 
where  you’re  going 

FIRST  CAME  AUTOCOMPLETE,  now  get  ready  for  auto 
page  rendering.  The  latest  version  of  Google's  Chrome  browser, 
known  as  Chrome  17,  can  determine  which  sites  you’re  likely 
to  visit  when  you  start  typing  them  into  your  search  bar  and 
preload  them  for  you  to  reduce  rendering  time. 
Google  software  engineer  Noe  Lutz  compared 
the  new  feature  to  a  local  deli  that  pre-makes 
sandwiches  because  the  workers  know  you 
order  the  same  thing  every  day.  The  other 
big  attraction  of  Chrome  17  is  its  improved 
security  features  that  include  cross-refer¬ 
encing  all  executable  files  with  a  whitelist 
of  safe  files.  If  the  files  aren’t  on  the  whitelist, 
Chrome  uses  Google's  search  capability  to  check 
whether  the  website  you’re  getting  the  file  from  has 
been  flagged  for  hosting  malware,  tinyurl.com/7f9t3ev 
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IT  salaries  climb, 
bonuses bounce 

AFTER  TWO  straight  years  of 
flat  wages,  tech  pros  finally  got  a 
bump  in  2011.  The  average  wage 
for  tech  and  engineering  pros 
climbed  2%  to  $81,327  last  year 
from  $79,384  in  2010,  accord¬ 
ing  to  salary  data  from  Dice, 
com.  Workers  lucky  enough  to 
get  bonuses  saw  an  even  bigger 
boost  as  the  average  bonus 
amount  rose  8%  to  $8,769. 
Stiffer  competition  for  tech  pros 
contributed  to  the  compensa¬ 
tion  gains.  While  the  national 
unemployment  rate  is  roughly 
8.5%,  the  unemployment  rate 
among  tech  professionals  is 
3.6%,  says  Tom  Silver,  a  Dice 
senior  vice  president.  Across 


the  U.S.,  12  of  the  top  20  cities 
for  tech  jobs  had  above  average 
wage  growth.  Salary  growth 
was  strongest  in  Austin,  Texas, 
where  wages  climbed  12.7%  last 
year.  Another  metro  area  that 
saw  particularly  strong  salary 
growth  is  Portland,  Ore.,  where 
salaries  grew  12 .3%  year  over 
year,  tinyurl.com/79jz52g 

Cisco  profit 
surges  on  higher 
sales,  lower  costs 

CISCO  POSTED  year-over-year 
gains  in  revenue  and  profit  for 
its  fiscal  second  quarter,  report¬ 
ing  sales  up  11%  to  $11.5  billion 
and  net  income  up  44%  to  $2.2 
billion.  The  company  also  said 


it  met  a  key  cost-cutting  goal 
ahead  of  schedule.  “We  are 
executing  well  on  our  three-year 
plan  to  drive  earnings  faster 
than  revenue,”  CEO  John  Cham¬ 
bers  said  in  a  statement.  “We 
hit  our  billion-dollar  expense 
reduction  a  quarter  early.”  Sales 
of  the  company’s  UCS  server 
lineup  grew  significantly  in  the 
second  quarter,  with  revenue  up 
91%  from  a  year  earlier  and  an 
accumulated  customer  count  of 
10,763.  Routing  and  switching 
revenue  each  grew  8%,  while 
revenue  from  service-provider 
video  infrastructure,  another 
key  focus  at  Cisco,  grew  23%. 
tinyurl.com/74wxuap 

IBM  boosts 
storage 

speeds,  unveils 
iPhone  app 

IBM  BUFFED  up  its  flagship 
grid-based  XIV  Storage  System 
by  unveiling  several  upgrade 
options,  including  the  option  of 
using  solid-state  drives  (SSD)  as 
cache  to  boost  performance  by 
3X.  All  well  and  good,  but  IBM 
competitors  NetApp  and  EMC 
have  been  offering  SSD  caching 
options  for  their  arrays  for  a 
year  or  more.  In  addition  to  the 
caching  option,  IBM  added  the 
ability  to  mirror  data  between 
previous  versions 
of  XIV  and  its 
current  XIV 
Gen3  systems, 
which  it  said 
will  ease  data 
migration 
and  allow 
customers  to 
repurpose  their 
XIV  models  as 
disaster  recov¬ 
ery  backup 
systems.  IBM 
also  announced 
a  new  Apple 
iPhone  app  that 
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IT  VIDEO 

Marshmallow 
fun  with 
President 
Obama 

Along  with  the  help  from 
Joey,  an  eighth-grader  from 
Arizona,  U.S.  President 
Barack  Obama  loaded 
a  homemade  rocket 
launcher  and  fired  it  inside 
the  White  House,  tinyurl. 
com/7cxhl2h 


lets  administrators  monitor 
XIV  storage  environments 
through  a  web-browser  inter¬ 
face.  tinyurl.com/7dv89kl 

Anything  SAP 
can  do,  Oracle  can 
do,umm...too 

ORACLE  SCOOPED  upcloud- 
based  talent  management  and 
employee  recruitment  software 
vendor  Taleo  for  roughly  $1.9 
billion  shortly  after  SAP’s  $3.4 
billion  bid  to  acquire  Success- 
Factors,  a  close  competitor  of 
Taleo.  Some  5,000  enterprises 
use  Taleo’s  software,  which  is 
used  to  handle  15%  of  employee 
hires  in  the  U.S.,  according  to 
Oracle.  It  remains  to  be  seen 
how  Taleo’s  portfolio  will  be 
aligned  with  Oracle’s  Fusion 
HCM  (human  capital 
management)  software, 
which  is  also  available 
as  a  cloud  offering. 
According  to  Forrester 
Research  analyst  Paul 
Hamerman,  the  overlap 
with  Fusion  HCM  is 
not  that  significant, 
since  it  currently  lacks 
recruitment,  learning 
and  succession  planning 
capabilities,  all  areas 
where  Taleo  is  strong. 
“It’s  actually  a  pretty 
complementary  fit.” 
tinyurl.com/7r9zb4x 
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Always 

tailored 


Recover 
2  Cloud9 


Recovery-as-a-Service  offerings  tailored  to  meet  your 
customers’  needs,  with  guaranteed  uptime  levels  by 
application  type.  The  training,  marketing  and  sales  support 
you  need  to  successfully  recommend  and  sell  highly  desired 
recovery  solutions.  All  backed  up  by  a  partner  with  decades 
of  experience  and  proven  availability  expertise.  Always. 

Managed  IT  Services.  Recovery.  Cloud. 


SUNGARD 

Availability  Services 


GOOD  BAD  I  UGLY 


HASBRO  HAS  announced  plans  to  update  its  Nerf 
Lazer  Tag  system  in  August  so  that  you  can  link  up 
your  blaster  with  your  iPhone  or  iPod  Touch.  You’ll 
be  able  to  slot  your  Apple  device  into  your  plas¬ 
tic  gun  and  download  an  app  to  get  a  heads-up 
display  of  your  power  level,  new  weapon  powers 
and  your  standing  on  a  global  leaderboard, 
among  other  things. 


FTC  targets  background 
screening  apps 


THE  FEDERAL  Trade  Com¬ 
mission  last  week  said  it  sent 
letters  to  six  unidentified  mobile 
applications  makers  warning 
them  that  their  background 
screening  apps  may  be  violating 
federal  statutes.  Specifically  the 
FTC  said  if  the  app  makers  have 
reason  to  believe  their  back¬ 
ground  reporting  apps  are  being 
used  for  employment  screening, 
housing,  credit,  or  other  similar 
purposes,  they  must  comply  with  the  Fair  Credit 
Reporting  Act  which  is  supposed  to  protect 
consumer  privacy  and  ensure  that  the  information 
supplied  by  consumer  reporting  agencies  is  accurate. 


Under  DDoS  attack 

BOTH  THE  number  and  volume  of  distributed  denial- 
of-service  attacks  are  increasing,  according  to  new 
reports  from  DDoS  mitigation  companies.  During 
the  fourth  quarter  of  last  year,  Prolexic  detected  45% 
more  DDoS  attacks  compared  to  the  similar  period  of 
2010  and  more  than  twice  the  number  of  attacks 
observed  during  the  third  quarter  of  2011. 

There’s  a  trend  toward  a  shorter  attack  duration, 
but  a  bigger  packet-per-second  attack  volume, 
said  Paul  Sop,  Prolexic’s  CTO.  This  trend  is 
reflected  in  a  report  from  Arbor  Networks  which 
surveyed  114  people  about  their  experience  with 
DDoS  attacks  in  2011.  Over  40%  said  they  experi¬ 
enced  attacks  that  exceeded  lGbps  in  bandwidth  last 
year,  while  13%  said  they  were  the  target  of  at  least 
one  attack  that  exceeded  lOGbps. 


Microsoft  wants 
Windows  8  to 
sip  the  juice 

IN  AN  effort  to  prolong  bat¬ 
tery  life,  Windows  8  has  been 
trained  to  be  stingy  when  it 
comes  to  doling  out  power 
to  applications,  particularly 
Metro-style  applications 
written  specifically  for  the 
operating  system.  Microsoft 
developers  say  they  let  active 
applications  grab  the  resources 
they  need  but  strip  down 
resources  used  by  applications 
standing  by.  Power  scrimping 
extends  to  the  operating  system 
itself  through  an  effort  the 
company  calls  power  hygiene. 
The  goal  is  to  balance  this 
economy  with  functionality,  so, 
for  example,  applications  finish 
tasks  they  have  started  even  if 
users  switch  to  something  else. 
The  upside  for  users  is  they 
won’t  have  to  limit  the  number 
of  apps  running  at  any  given 
time  and  can  expect  them  to 
respond  immediately  when 
they  are  switched  to.  tinyurl. 
com/6necelz 

Kelihos,  the 
undead  botnet? 


to  ensure  a  botnet’s  death.  “If 
you  get  to  the  people  behind  it 
[through  arrests  and  convic¬ 
tions],  that  will  be  the  most 
successful.  But  international 
borders  and  the  lack  of  cross¬ 
country  cooperation  make  that 
a  difficult  road  to  go  down.” 
Kelihos  was  taken  offline  last 
September  when  Microsoft, 
using  a  federal  court  order,  led 
efforts  to  shut  down  domains 
used  by  the  Kelihos  command- 
and-control  system,  severing 
links  between  the  compromised 
computers  and  the  order-giving 
master,  tinyurl.com/7tvokfe 


FEDERAt  BUREAU  OF  INVESTIGATION 
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FBI  unbolts 
Steve  Jobs  1991 
investigation  file 


CONTRARY  TO  reports,  the 
Kelihos  botnet  has  not  crawled 
out  of  the  grave.  But  Microsoft 
acknowledged  that  a  new  botnet 
is  being  assembled  using  a  vari¬ 
ant  of  the  original  malware.  The 
reappearance  of  a  Kelihos-like 
army  of  hijacked  computers 
shows  just  how  difficult  it  is 
to  eradicate  a  botnet,  security 
experts  say.  “It’s  not  possible,  in 
most  cases,”  says  Roel  Schou- 
wenberg,  a  senior  researcher 
with  Kaspersky  Lab.  “What 
you’re  going  for  is  disruption 
more  than  anything.”  Liam  O 
Murchu,  manager  of  operations 
at  Symantec’s  secu¬ 
rity  response 
team,  agrees 
saying  therj 
is  only 
one  way 


THE  FBI  last  week  released 
a  background  check  it  did  on 
Apple’s  founder  Steve  Jobs 
when  he  was  being  considered 
for  a  position  on  the  President’s 
Export  Council  under  George 
H.W.  Bush  in  1991.  The  191-page 
document,  released  under  the 
Freedom  of  Information  Act, 
includes  documents  related  to 
a  1985  investigation  of  a  bomb 
threat  against  Apple  and  a  host 
of  other  observations,  many  of 
them  not  surprising  —  he  was 
strong  willed,  stubborn,  hard¬ 
working  and  driven.  Not  all  of 
the  observations  were  flattering, 
however.  Several  individuals 
questioned  his  honesty,  stating 
that  Jobs  will  twist  the  truth 
and  distort  reality  in  order 
to  achieve  his  goals,  tinyurl. 
com/7cymus8 
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TREND  ANALYSIS 


Mobile  management: 
Apple’s  extra  requirement 


BYELLENMESSMER 

ANYONE  WANTING  to  buy  mobile-device 
management  software  to  manage  Apple  iOS 
devices  will  find  they  need  a  special  digital 
certificate  from  Apple  to  activate  it,  a  require¬ 
ment  that  doesn’t  apply  to  the  same  MDM 
software  that  would  be  used  to  manage 
Google  Android  devices,  for  instance. 

MDM  software  —  such  as  that  from 
Mobilelron,  Good  Technology,  Sybase,  Air- 
Watch,  McAfee,  Symantec  and  several  oth¬ 
ers  —  is  loaded  onto  mobile  smartphones  and 
tablets  to  allow  IT  managers  to  keep  track  of 
employee  equipment,  to  remotely  wipe  these 
devices  and  to  apply  security  controls.  Enter¬ 
prises  buying  MDM  software  to  manage 
Apple  iOS  devices  are  sometimes  surprised 
to  find  out  about  the  Apple  digital  certificate 
requirement  that  they  must  obtain. 

When  design  firm  Holly  Hunt  decided  to 
manage  its  Apple  iPads  with  BoxTone  MDM 
software,  IT  managers  there  found  out  they 
had  to  apply  to  Apple  for  a  signed  digital  cer¬ 
tificate  for  the  MDM  software  in  order  to  acti¬ 
vate  it.  “It  was  a  long  process,  but  now  we’re  a 
licensed  Apple  software  developer,”  says  Neil 
Goodrich,  director  of  business  analytics  and 
technology  at  Holly  Hunt.  The  application 
process  took  more  than  a  month  and  resulted 
in  a  signed  digital  certificate  that  not  only  acti¬ 
vated  the  BoxTone  MDM  software  to  manage 
the  firm’s  Apple  devices,  but  also  gave  Holly 
Hunt  the  right  to  create  its  own  iOS  apps. 

However,  enough  people  last  year  found 
this  particular  Apple  MDM  certificate-issu¬ 
ance  process  cumbersome,  so  in  September 
2011  Apple  changed  it,  explains  MDM  ven¬ 
dor  Air  Watch.  (Apple  did  not  respond  to  an 
inquiry  asking  for  clarity  on  why  it  demands 
the  signed  digital  certificate  for  MDM.) 

Blake  Brandon,  technical  consultant  at 
AirWatch,  says  the  older  certificate-issuance 
process  with  Apple  used  to  cost  $300  but  the 
simpler  process  today  is  free.  He  says  now 
the  Apple  MDM  digital-certificate  issuance 


Tech  event  in  March 

IT  Roadmap  Chicago  focuses  on 
the  trends  and  technologies  that 
are  most  relevant  to  you.  At  IT 
Roadmap  you  will  learn  what  solutions 
are  best  for  your  organization. 

tinyurl.com/82g6mp9 


process  only  takes  a  few  days  at  most.  But 
what  you  get  now  does  not  include  the  Apple 
software  developer  license  but  only  what’s 
called  the  “Apple  Push  Notification  Service” 
(APNS)  certificate.  (To  get  the  Apple  software 
developer  license,  you  now  have  to  apply 
separately  and  go  through  what  is  a  more 
involved  registration  process.) 

Apple  does  require  the  APNS  digital  cer¬ 
tificate  to  use  any  vendor  MDM  software  with 
Apple  iOS  4.0  and  5.0  devices  and  getting  that 
certificate  signed  properly  takes  a  few  steps, 
Brandon  says.  AirWatch  has  instructions 
on  how  to  do  this  on  its  site.  (There  are  also 
a  lot  of  instructions  still  lingering  and  there 
across  the  Web  for  the  older  Apple  MDM 


certificate-issuance  process.) 

The  MDM  enterprise  customer 
first  has  to  digitally  generate  a  cer¬ 
tificate  on  its  own,  and  then  get  it 
digitally  signed  by  both  the  MDM 
vendor  and  Apple.  This  digitally 
signed  certificate  process,  typi¬ 
cally  done  over  the  Web,  results  in  a  signed 
certificate  that  is  then  loaded  into  the  server 
associated  with  the  MDM  software,  he  says. 

Neither  Google  Android  devices  nor  other 
brands  have  to  go  through  this  certificate¬ 
signing  process  for  the  same  MDM  software, 
acknowledges  Brandon.  Nevertheless,  he 
argues  the  Apple  certificate  requirement, 
which  started  in  June  2010  with  iOS  4.0  when 
Apple  introduced  its  MDM  APIs,  is  a  good 
idea.  He  says  it  gives  Apple  a  way  to  have 
control  over  what  works  well  on  Apple  iOS 
devices  in  terms  of  battery  and  other  factors. 
Indeed,  this  is  the  same  argument  that  Apple 
makes  on  its  website  in  describing  the  digital- 
certificate  issuance  process.  ■ 


Centrex:  It’s  alive  (for  now)! 


BYBRADREED 

CENTREX  IS  a  lot  like  the  talking  plague 
victim  from  Monty  Python’s  “Holy  Grail”: 
It’s  not  quite  dead  yet. 

Joan  Moyer,  president  of  the  end  user- 
run  nonprofit  International  Telecommu¬ 
nications  Professionals  Exchange  (ITPX), 
says  Verizon  and  AT&T  combined  have 
more  than  10  million  analog  Centrex  lines 
still  active  across  North  America.  This  is, 
of  course,  way  down  from  the  estimated 
16.5  million  analog  Centrex  lines  that  were 
active  in  the  United  States  in  2002,  but  it’s 
still  a  significant  figure. 

Centrex  has  been  around  since  the  1960s 
when  it  was  developed  by  New  York  Tele¬ 
phone  as  a  substitute  for  PBX  switchboards 
in  large  enterprises.  Companies  were  ini¬ 
tially  drawn  to  Centrex  because  it  meant 
they  didn’t  have  to  dedicate  in-house  staff 
to  running  the  telephone  system  and  could 
instead  rely  upon  the  phone  company  to  do 
it  for  them.  But  with  the  advent  of  hosted 
VoIP  services  in  recent  years,  Centrex  has 
largely  fallen  by  the  wayside  for  many 
enterprise  users. 

In  fact,  the  ITPX  used  to  be  known  as 
the  National  Centrex  Users  Group  before 
changing  its  focus  to  cover  both  Centrex  and 
more  modern  technologies  such  as  VoIP. 
Moyer  says  the  group,  which  is  holding  its 
yearly  conference  and  trade  show  in  Las 
Vegas  on  April  23,  now  does  a  lot  of  work  in 


helping  members  make  the  transition  away 
from  analog-based  Centrex. 

Even  so,  Moyer  says  many  members  of 
her  organization,  particularly  government 
agencies,  still  use  Centrex  for  their  tele¬ 
phone  exchange  system  even  as  they  plan 
to  eventually  migrate  over  to  a  VoIP  system. 

“A  lot  of  federal  government  agencies  are 
big  users  of  Centrex,  as  well  as  large  enter¬ 
prises  with  multiple  locations,”  she  says. 
“Because  Centrex  is  hosted  it’s  easy  to  put  a 
seamless  system  across  multiple  locations.” 

Moyer  does  acknowledge  that  most  ITPX 
members  aren’t  planning  on  staying  with 
analog  Centrex  forever  and  are  likely  to 
shift  gradually  over  to  a  hosted  IP-based 
service  instead.  However,  she  says  Centrex 
is  still  meeting  its  hosted  telephony  needs 
at  a  low  cost  since  “all  the  equipment”  for 
Centrex  “has  been  purchased  and  paid  for” 
and  agencies  aren’t  spending  money  to  hire 
people  in-house  to  maintain  it.  And  besides, 
she  notes,  “a  lot  of  the  time  ...  government 
people  don’t  want  to  be  on  the  bleeding  edge 
of  technology  because  if  the  system  goes 
down,  you’ve  got  problems.”  All  told,  Moyer 
expects  that  Centrex  will  likely  still  be  with 
us  for  the  next  10  to  15  years. 

Irwin  Lazar,  an  analyst  at  Nemertes 
Research,  says  he  rarely  sees  Centrex  being 
used  by  large  corporate  enterprises.  How¬ 
ever,  he  says  Centrex  still  has  a  place  at  many 
large  universities  that  just  need  a  system  to 
deliver  basic  voice  services.  ■ 
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Lync-Skype  integration  a  ‘compelling  opportunity’ 


BYJUAN  CARLOS  PEREZ, 

IDG  NEWS  SERVICE 

MICROSOFT  IS  looking  at  creating  a  bridge 
between  Lync,  its  enterprise  IM,  voice  and 
video  communications  product,  and  Skype  as 
part  of  its  broader  initiative  to  extend  the  Office 
platform,  a  company  executive  said  last  week. 

Microsoft,  which  closed  its  $8.5  billion 
acquisition  of  Skype  in  October  of  last  year, 
views  the  massively  popular  IM,  Internet 
telephony  and  video  chat  consumer  service 
in  part  as  a  vehicle  for  connecting  enterprise 
Lync  users  with  consumers,  according  to 
Bill  Koefoed,  Microsoft’s  general  manager  of 
investor  relations. 

“We  think  [Lync]  is  a  big  opportunity.  Part 
of  the  reason  why  we  love  the  Skype  acquisi¬ 
tion  is  because  when  you  think  about  the  inte¬ 
gration  between  Skype  and  Lync,  between  the 
enterprise  and  the  consumer,  it  ends  up  being 
a  pretty  interesting  opportunity  as  we  go  for¬ 
ward  there,”  he  said  at  the  Stifel  Nicolaus 
Technology  &  Telecom  Conference. 

Koefoed,  whose  appearance  at  the  con¬ 
ference  was  webcast,  acknowledged  that 
Microsoft  hasn’t  spent  a  lot  of  time  yet  talk¬ 
ing  about  its  road  map  for  Skype,  but  made 


it  clear  that  integrating  it  with 
Lync  is  in  the  works. 

“Enabling  an  enterprise 
to  talk  to  a  consumer  via  the 
Lync-Skype  integration  would 
be  something  you’d  think  we’d 
be  looking  at,  for  sure,”  said 
Koefoed,  who  answered  ques¬ 
tions  from  a  financial  analyst 
and  from  audience  members. 

Microsoft  offers  an  on-prem- 
ise  version  of  Lync  that  has 
both  a  server  and  a  client  com¬ 
ponent,  as  well  as  a  cloud-based 
version  called  Lync  Online  that 
has  a  subset  of  the  functionality 
and  is  available  as  part  of  the 
Office  365  cloud  collaboration 
and  communication  suite. 

Asked  for  comment  about  Lync  and 
Skype,  a  Microsoft  representative  said  via 
email:  “Lync  and  Skype  are  not  integrated 
today.  So  while  we  have  nothing  formal  to 
announce  today  regarding  Lync  and  Skype, 
we’re  incredibly  excited  about  the  opportu¬ 
nities  to  extend  the  value  of  Skype  to  other 
Microsoft  products  and  services.” 

Another  Microsoft  official  made  a  reference 


recently  to  plans  to  broaden 
the  integration  between  Lync 
Online  and  consumer  IM  net¬ 
works.  At  ITExpo  in  Miami  last 
week,  David  Grider,  a  Microsoft 
Lync  technology  specialist,  said 
that  Microsoft  plans  to  make 
Lync  Online  interoperable  with 
non-Microsoft  IM  networks. 
Lync  Online  is  currently  inte¬ 
grated  with  Microsoft’s  con¬ 
sumer  IM  service  Windows 
Live  Messenger,  but  not  with 
others  like  Yahoo  Messenger. 

Lync  Server  2010,  however, 
does  feature  IM  and  presence 
federation  with  XMPP-based 
networks  like  Jabber  and 
Google  Talk  and  with  other  con¬ 
sumer  networks  such  as  Yahoo  Messenger  and 
AOL  Instant  Messenger  (AIM). 

When  asked  to  name  Microsoft  products 
he  is  particularly  bullish  about,  Koefoed  men¬ 
tioned  at  the  top  of  his  list  Office  365,  which 
Microsoft  announced  in  late  2010  and  began 
selling  in  June  of  last  year  as  a  competitor  to 
Google  Apps  and  other  cloud-based  commu¬ 
nication  and  collaboration  suites.  ■ 


Microsoft’s  Bill  Koefoed: 
Lync  and  Skype  could 
connect  enterprises  with 
consumers. 


Microsoft  mobile  CRM  clients  on  the  way 


BYTIM  GREENE 

THE  PRODUCTIVITY  of  salespeople  could 
jump  with  the  upcoming  release  of  native 
Microsoft  Dynamics  CRM  applications  for 
specific  mobile  platforms  and  put  the  soft¬ 
ware  vendor  ahead  of  some  of  its  competitors, 
an  expert  says. 

CRM  applications  on  mobile  devices 
already  improve  productivity  14.6%  for  sales 
staff  that  use  them,  says  Rebecca  Wette- 
mann,  vice  president  of  research  for  Nucleus 
Research,  and  these  native  apps  should  work 
that  much  better  on  their  respective  plat¬ 
forms,  she  says. 

Microsoft  has  announced  that  next  quar¬ 
ter  it  will  release  native  Dynamics  CRM  cli¬ 
ents  for  its  own  Windows  Phone  7  as  well  as 
Android  2.2,  BlackBerry  and  Apple’s  iOS. 

With  native  apps  customized  for  each  plat¬ 
form,  the  look  and  feel  of  the  application  on 
each  device  should  improve  over  what  it  would 
be  with  a  generic  client,  Wettemann  says. 

“I  wouldn’t  say  they’re  out  in  front, 


but  native  clients  out  of  the  box  is  pretty 
advanced,”  she  says,  adding  that  no  vendor 
has  delivered  native  apps  for  all  these  plat¬ 
forms  yet,  but  that  eventually  “we’re  going 
to  see  all  vendors  doing  model-specific 
clients.” 

She  says  this  development  is  necessary  for 
Microsoft  because  ease  of  use  is  important  to 
CRM  customers  that  want  support  for  mobile 
devices,  and  native  clients  will  be  a  step  in 
that  direction.  For  example,  a  December  2011 
case  study  by  Nucleus  says  that  Kimberly- 
Clark  had  to  develop  its  own  custom  Sales- 
force  CRM  applications  for  iPads  in  order  for 
its  field  salespeople  to  use  the  service. 

Mobile  devices  are  enormously  popular 
among  salesforces:  The  iPhone  is  the  most 
commonly  used  device  for  accessing  CRM, 
Wettemann  says,  with  67%  of  CRM  users 
using  their  iPhone  to  access  some  CRM 
application.  With  the  increase  in  businesses 
that  allow  personal  devices  to  be  used  for  cor¬ 
porate  purposes,  the  number  of  devices  that 
need  CRM  support  is  constantly  increasing. 


From  a  management  perspective,  a  single 
client  that  would  perform  with  equal  effec¬ 
tiveness  on  multiple  devices  is  most  desir¬ 
able,  but  that  will  take  some  time  to  develop. 

With  the  longer  term  in  mind  Microsoft 
says  it  is  working  on  an  HTML5  client  that 
fits  the  bill  of  working  well  on  all  platforms. 

The  new  native  applications  for  Dynamics 
CRM  will  come  as  part  of  a  regular  update  to 
Microsoft’s  Dynamics  CRM  offerings.  With 
the  initial  release,  users  will  be  able  to  work 
offline  with  data  they  have  downloaded  to 
their  mobile  devices,  and  they  can  synch  the 
devices  with  other  devices  online. 

While  the  new  clients  grab  most  of  the 
attention,  the  latest  update  of  Dynamics 
CRM  includes  a  server  component  that 
includes  management  and  security.  One 
feature  can  wipe  sensitive  corporate  data 
from  devices  if  they  become  lost,  stolen  or 
compromised. 

Dynamics  CRM  costs  $30  per  month  per 
user,  and  each  license  covers  three  devices 
and  includes  the  full  set  of  server  features.  ■ 
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INTRODUCING  MORE 
THAN  JUST  A  LITTLE  RISK 
TO  YOUR  BUSINESS? 


HP  Enterprise  Security  has  what  you 
need  to  secure  your  applications, 
information  and  operations.  Backed 
by  our  unparalleled  security  research 
team,  we  can  help  you  protect  your 
enterprise  and  identify  risks  before 
you  even  know  they  exist. 


For  more  information  go  to 
www.hpenterprisesecurity.com. 
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Howto 

Drotect  online 
ransactions 


Online  application 


User  experience 
User  sees  login  page 
with  userlD/password  - 
enters  information 
and  hits  ENTER 


CA  Arcot 

| 

■ 

WebFort 

5 

FROM  THE  USER 

PERSPECTIVE 


The  second  factor  is  executed 

in  the  background 

1.  Application  gets  a  challenge  — 
random  string  -  from  WebFort. 

2.  Application  embeds  challenge  in  the 
login  page  that  was  sent  to  user. 

3.  User’s  password  combines  with  ArcotID 
to  sign  the  challenge  (password  is  not 
sent  to  the  application). 

4.  Signed  challenge  sent  back  to 
application. 

5.  Application  asks  WebFort  to  verify  the 
signal  challenge  -  a  positive  response 
means  the  user  is  authenticated. 


With  the  CA  ArcotID  secure  software  credentials,  users  gain  improved 
security  of  multifactor  authentication  without  changing  their  familiar 
username  and  password  login  experience. 


BY  JULIE  SARTAIN 

THE  TRUSTY  telephone  is  emerging  as  one 
of  the  key  elements  in  new  multifactor  authen¬ 
tication  schemes  designed  to  protect  online 
banking  and  other  Web-based  financial  trans¬ 
actions  from  rapidly  evolving  security  threats. 

New  federal  guidelines,  which  took  effect 
last  month,  recommend  multiple  layers  of 
security  controls  beyond  the  traditional  user¬ 
name/password,  particularly  out-of-band 
authentication  methods. 

While  the  Federal  Financial  Institutions 
Examination  Council  (FFIEC)  rules  apply 
specifically  to  banks,  credit  unions,  mort¬ 
gage  lenders  and  savings  and  loans,  every 
organization  that  deals  in  online  financial 
transactions,  such  as  shopping  portals, 
credit  card  companies  and  online  bill  pay¬ 
ments,  is  affected. 

One  of  the  main  weapons  in  the  today’s 
hacker  arsenal  is  password  phishing.  In  this 
scenario,  hackers  use  phishing  emails  to  steal 
online  banking  credentials  and  break  into 
user  accounts. 

In  response,  banks  and  other  financial 
institutions  have  deployed  technologies  like 
device  identification,  challenge  questions  and 
one-time  password  tokens,  according  to  Sarah 
Fender,  vice  president  of  product  management 
at  authentication  vendor  PhoneFactor. 

Forrester  analyst  Andras  Cser  empha¬ 
sizes  that  login  IDs  and  passwords  are  no 
longer  enough.  He  says  preselected  images, 
challenge  questions,  device  information  and 
device  reputation  are  all  effective  second- 
factor  authenticators. 

But  the  problem  with  many  of  those  “in- 
band”  authentication  methods  is  that  the 
device  itself  might  be  infected  with  malware, 
adds  Fender. 

Plus  there  are  more  advanced  threats,  such 
as  keyloggers,  man  in  the  browser  (MITB) 
and  man  in  the  middle  (MITM)  attacks, 
which  require  even  more  sophisticated  secu¬ 
rity  measures. 

Gartner  analyst  Ant  Allan  says,  “Virtually 
every  authentication  technique  can  be  com¬ 
promised  or  circumvented.  Authentication 
is  better  than  legacy  passwords  to  minimize 
the  risk  for  ‘quick  and  dirty’  attacks  such  as 
phishing,  but  there  is  a  limit  to  the  utility  of 
seeking  higher-assurance  methods  that  are 
harder  to  compromise  directly.  At  some  point, 


the  attackers  will  move  to  MITB  attacks, 
which  hijack  already  authenticated  ses¬ 
sions,  effectively  bypassing  authentication, 
to  manipulate  transaction  details  or  insert 
bogus  transactions.” 

Allan  says  there  are  two  advanced  tech¬ 
nologies  that  are  effective  in  combatting  the 
current  crop  of  attacks:  Web  fraud  detection 
and  transaction  verification. 

According  to  Allan,  Web  fraud  detection 
evaluates  contextual  information  about  the 
user’s  connectivity  (endpoint  identity,  geo¬ 
graphic  location  and  so  on)  and  looks  for 
anomalous  transactional  behavior  (compared 
to  user  history  and  to  other  users;  e.g.,  are  mul¬ 
tiple  users  making  transfers  to  the  same  new 
account?). 

Transaction  verification  uses  a  number 
of  techniques  to  confirm  that  the  transac¬ 
tion  details  received  by  the  bank  (a)  origi¬ 
nated  with  the  user  and  (b)  are  what  the  user 
intended.  Interactive  transaction  confirma¬ 
tion  via  an  out-of-band  method,  as  outlined 
in  the  FFIEC  guidance,  is  effective  for  desk¬ 
top  browser  sessions  and  is  possibly  the  most 
attractive  option. 

Of  course,  there  are  even  more  robust  secu¬ 
rity  methods  —  OTP  (one-time  password) 
hardware  tokens  with  PIN  pads  and  the 
EMV  (Europay,  MasterCard,  Visa)  payment 
card  readers  —  but  banks  have  run  up  against 


customer  resistance  to  these  types  of  security 
measures. 

Here  are  some  of  the  current  options  for 
effective  authentication  of  online  transactions. 

Risk-based  authentication:  An  example 
of  risk-based  authentication  is  CA  Arcot’s 
RiskFort,  a  sophisticated  tool  that  incorpo¬ 
rates  analytical  fraud  models  based  on  a  sta¬ 
tistical  analysis  of  transaction  and  fraud  data. 

“RiskFort  collects  a  wide  range  of  data 
about  each  login  or  transaction  to  produce 
a  risk  score  derived  from  analytics  and 
rules,”  says  Ram  Varadarajan,  general  man¬ 
ager  at  CA  Arcot  Security  solutions,  CA 
Technologies. 

He  adds,  “The  risk  score  determines  what 
action,  if  any,  to  take  for  a  given  transaction, 
such  as  requiring  a  higher  form  of  authenti¬ 
cation.  This  is  a  scenario  where  risk-based 
authentication  works  collaboratively  with 
strong  authentication.  If  a  transaction 
appears  suspicious,  another  factor  of  authen¬ 
tication  can  be  invoked  to  ‘step  up’  the  authen¬ 
tication  and  security.” 

Versatile  authentication  platforms: 
Entrust  offers  IdentityGuard  and  Transac- 
tionGuard.  “IdentityGuard  handles  strong 
authentication  in  breadth  as  well  as  depth. 
It  supports  hard  tokens,  soft  tokens,  smart 
cards,  SMS  tokens,  geolocation,  eGrids  and 
more.  Authentication  could  be  relatively 
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simple  for  clients  using  their  own  computers 
from  their  own  homes,  but  increases  in  depth 
if  they  are  using  a  hotspot,  and  even  more  if 
they  are  in  another  country,”  says  Jon  Callas, 
CTO  at  Entrust. 

One  improved  technology  is  Entrust’s  pat¬ 
ented  electronic  grid  (eGrid),  a  simple,  two- 
factor  authentication  system  that  requires 
little  to  no  supporting  technology.  It’s  a  grid 
of  two-character  codes  indexed  by  letters  and 
numbers.  A  bank  can  ask  a  user,  for  example, 
to  provide  the  codes  for  E4,  Al,  H3.  The  user 
looks  them  up  on  his/her  eGrid  and  replies 
CX,  G3,  23  (which  is,  obviously,  different  on 
every  card),  and  if  the  corresponding  table 
matches,  then  the  authentication  is  correct. 

“Note  that  it  doesn’t  require  users  to  have  a 
smart  card,  a  token  or  any  other  supporting 
technology,”  adds  Callas.  “It  can  be  printed, 
kept  as  a  picture,  embossed  on  a  badge  or 
almost  anything  else.  I  have  one  that’s  a  pic¬ 
ture,  which  I  keep  on  my  iPhone,  and  I  use  it 
to  authenticate  to  Web  mail.” 

Phone-based  authentication:  "Phone- 
based  authentication  is  swiftly  becoming  the 
method  of  choice,”  says  PhoneFactor’s  Fender. 
“These  systems  leverage  the  user’s  telephone 
as  the  trusted  device  for  the  second  factor  of 
authentication.  Telephones  are  extremely 
difficult  to  duplicate  and  phone  numbers  are 
extremely  difficult  to  intercept.  The  combina¬ 
tion  of  the  phone  and  a  username  with  pass¬ 
word  yields  strong,  multifactor  authentication 
with  minimal  impact  on  the  user  experience.” 

She  adds,  “PhoneFactor  users  can  choose 
whichever  authentication  method  they  prefer 
such  as  phone  call  or  text  message,  and  all  these 
solutions  provide  the  same  level  of  out-of-band 
security  and  convenience.  Additional  security 
features  include  PIN  mode,  voiceprint  and 
transaction  verification,  which  can  be  mapped 
to  particular  users  and/or  levels  of  risk.” 

Image-based  authentication:  One  clever, 
new  technology  by  Confident  Technologies 
uses  images  on  a  touch-screen  phone  for 
authentication.  Unlike  multifactor  authen¬ 
tication  processes  that  send  a  one-time  text 
message  pass  code  to  the  user’s  phone,  this 
technology  provides  a  secure  second  factor 
by  encrypting  a  one-time  pass  code  within  an 
image-based  authentication  challenge. 

“When  an  authentication  requirement  is 
triggered,  users  identify  pictures  on  their 
phone  screen  that  match  their  previously 
selected,  secret  categories,”  says  Curtis  H. 
Staker,  CEO  at  Confident  Technologies.  “For 
example,  if  a  user  preselects  the  categories 
called  cars,  food  and  dogs,  a  grid  of  12  (or  so) 
images  appears  that  contains  various  images, 
three  of  which  fit  their  categories,  such  as  a 
Corvette,  a  hamburger  and  a  beagle.  By  cor¬ 
rectly  identifying  the  pictures  that  match  their 
secret  authentication  categories,  users  are, 


essentially,  re-assembling  the  one-time  pass 
code  that  was  encrypted  within  those  pic¬ 
tures.  Importantly,  the  process  remains  com¬ 
pletely  out-of-band  from  the  Web  session.” 

“This  concept  of  image  categories  is  intrigu¬ 
ing,”  says  Scott  Crawford,  managing  research 
director  at  Enterprise  Management  Associates. 
“Particularly  for  mobile  or  touch-screen  form 
factors  (where  text  input  can  be  a  challenge) 
and  for  cross-cultural  or  multi-language  use 
cases,  but  the  technique  may  beg  the  question 
as  to  whether  or  not  users  can  consistently 
remember  the  categories  they  have  chosen.” 

Staker  adds  that  the  specific  images  dis¬ 
played  are  different  every  time,  but  the  users’ 
categories  always  remain  the  same.  “This 
makes  it  difficult  for  anyone  else  to  determine 
the  users’  secret  categories.  Even  if  someone 
else  gained  possession  of  the  mobile  phone 
or  intercepted  the  communication,  they 
would  not  be  able  to  authenticate  because  the 
one-time  password  is  encrypted  within  the 
images,”  adds  Staker. 

Biometrics:  Biometrics  include  authentica¬ 
tion  properties  such  as  face  recognition,  finger¬ 
print  identification,  hand  geometry  biometrics, 
retina  scan,  iris  scan,  digital  signatures  and 
voice  analysis. 

“I’m  not  sure  if  biometrics  is  considered 
new,  but  it’s  definitely  improved,  and  it’s  an 
area  that  ebbs  and  flows,  as  far  as  interest  is 
concerned,”  says  Chris  Silva,  mobile  industry 
analyst  at  Altimeter  Group.  “The  newest  buzz 
in  biometrics  that’s  garnering  attention  in  the 
mobile  space  is  facial  recognition.  It  has  a  lot 
of  promise  for  the  devices  that  we  all  carry 
around  with  us,  which  have  limited  physical 
keyboards  (or  none  at  all)  and  often  need  to  be 
accessed  while  we’re  multi-tasking.” 

Many  companies  are  experimenting  with 
biometrics  as  an  additional  layer  of  security; 
for  example,  PhoneFactor  uses  Voiceprint 
Verification  as  a  third  factor  of  authentication 
on  top  of  its  other  offerings. 

Summary 

As  everyone  in  the  security  business  knows, 
there  is  no  perfect  answer.  Allan  points  out 
that  “whatever  the  desirable  level  of  assur¬ 
ance,  it  has  to  be  balanced  against  cost  (deploy¬ 
ments  for  hundreds  of  thousands  of  users  are 
very  cost  sensitive)  and  user  experience.  We 
know  that  bank  customers  may  change  their 
banks  if  new  security  features  such  as  authen¬ 
tication  degrade  the  user  experience:  In  a  sur¬ 
vey  a  couple  of  years  ago,  Gartner  found  that 
3%  of  customers  had  done  so,  and  a  further 
12%  considered  it,”  adds  Allan. 

Sartain  is  the  author  of  “Data  Networks  101" 
and  a  freelance  journalist  from  Salt  Lake 
City,  Utah.  She  can  be  reached  at  julesds@ 
comcast.net. 
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TOOLS 

NeuroSky  MindWave: 
Fun  with  brainwaves 


n  last  week’s  Gearhead  I  discussed,  in 
part,  the  science  of  electroencephalography  or 
EEG ...  the  detection  and  measurement  of  the 
neurological  activity  of  the  brain  via  electrodes 
attached  to  a  subject’s  scalp.  Last  week’s  EEG 
electrode  platform  was  built  into  a  cap.  This  week  I  have 
a  system  that  detects  both  EEG  and  electromyography 
signals  (or  EMG),  the  latter  being  the  signals  generated  by  muscles. 


The  NeuroSky  MindWave  headset  makes 
you  look  like  you’re  auditioning  for  “Star 
Trek,”  although  the  design  is  more  “Next 
Generation”  than  classic  “Star  Trek.” 

The  MindWave  has  two  dry  sensor 
contacts,  one  that  touches  your  forehead  and 
another  that  clips  onto  your  left  earlobe. 

The  MindWave  headset  communicates 
with  a  computer  via  a  USB-interfaced 
“dongle”  and  requires  driver  software  to  be 
installed  on  the  host  system. 

The  driver  software  is  straightforward  to 
install  under  Windows  (I  used  an  HP  laptop 
running  Windows  7  Home  Ultimate)  and, 
while  not  hard  under  OS  X  (I  used  it  on  an 
iMac  running  OS  X  10.7.2),  it  is  a  slightly 
clumsier  process  requiring  you  to  run  two 
downloads,  one  after  the  other  in  order. 

After  the  drivers  are  installed  you  have 
to  run  the  MindWave  Manager  application 
to  register  the  MindWave  headset  with  the 
computer.  Once  registered,  the  ThinkGear 
Connector,  another  driver  that  bridges 
between  the  USB  driver  and  Mind  Wave- 
enabled  Flash  applications,  is  loaded  (it 
is  configured  to  load  automatically  when 
Windows  or  OS  X  starts).  There’s  also  yet 
another  driver,  the  CogniScore  Connector, 
that  tracks  your  achievements  with  applica¬ 
tions  that  exercise  and  test  your  mental  abili¬ 
ties  and  file  their  assessment  of  your  skills 
with  the  “connector.” 

Really?  Couldn’t  all  of  this  architecture 
be  hidden  from  the  user  and  the  MindWave 
Manager  and  the  CogniScore  Connector  be 
built  into  the  ThinkGear  Connector? 

Anyway,  you  can  download  a  variety 


of  MindWave-  Mark  Gibbs’ Gearhead 

enabled  appli¬ 
cations  created  by  both  NeuroSky  and 
third-party  vendors  from  the  NeuroSky 
store.  Some  of  these  applications  are  free 
while  others  are  seriously  spendy  (intended 
for  academic  and  business  use). 

In  the  free  category  are  a  number  of  games. 
For  example,  there’s  “blink/zone,”  a  game  in 
which  virtual  fireworks  are  launched  from 
the  bottom  of  the  screen  and  how  high  they 
rise  is  dependent  upon  how  focused  (atten¬ 
tive)  you  are.  When  each  firework  reaches  its 
maximum  height  you  are  supposed  to  blink 
to  make  it  explode  and  the  higher  each  explo¬ 
sion  is,  the  more  points  you  get. 

What  this  and  many  of  the  other 
Mind  Wave-enabled  games  are  doing  is 
to  train  your  ability  to  concentrate  and 
simultaneously  relax  using  biofeedback. 
Biofeedback  is  defined  on  Wikipedia  as  “the 
process  of  becoming  aware  of  various  physi¬ 
ological  functions  using  instruments  that 
provide  information  on  the  activity  of  those 
same  systems,  with  a  goal  of  being  able  to 
manipulate  them  at  will.  Processes  that  can 


be  controlled  include  brainwaves,  muscle 
tone,  skin  conductance,  heart  rate  and  pain 
perception.” 

If  you  want  an  interesting  visualization 
of  your  mental  state  I  recommend  the  free 
Sekati  Brain-Computer  Interface  featuring  a 
field  of  blue  balls. 

The  author,  Jason  Horwitz,  says  when 
your  brain  waves  become  readable  the  clue 
balls  “snap  in  to  focus.  When  the  waves 
become  focused  &  reach  above  a  certain 
(configurable)  threshold,  gravity  is  removed 
...  and  the  balls  begin  to  float  to  the  top  of  the 
screen  like  balloons  (conversely  a  loss  of 
focus  reapplies  gravity  &  the  balls  drop  like 
rocks).  The  user  may  also  control  the  direc¬ 
tion  in  which  the  balls  travel  with  the  type  of 
thought  used;  focus  &  concentration  forces 
the  velocity  of  the  balls  to  the  left,  whilst  a 
more  relaxed,  passive,  observant  state  of 
mind  forces  the  balls  to  the  right  (keep  in 
mind;  this  is  not  mind-control;  but  rather 
advanced  biofeedback  —  &  in  practice  is  a 
lot  like  using  muscles  you  did  not  know  you 
possessed).” 

The  benefits  of  biofeedback  training 
are  well  established  and,  at  $99.95,  the 
NeuroSky  MindWave  is,  by  far,  the  lowest 
cost  and  most  data-rich  EEG/EMG  system 
available  with  which  to  do  it.  It’s  just  begging 
for  you  to  develop  that  killer  application! 

The  NeuroSky  MindWave  gets  a  Gear- 
head  rating  of  5  out  of  5! 

Your  thoughts  to  gearhead@gibbs.com. 


The  NeuroSky  MindWave  headset  makes 
you  look  rather  like  you’re  auditioning  for 
“Star  Trek,”  although  the  design  is  definitely 
more  “Next  Generation"  than  classic  “Star  Trek." 
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whitepapers/evault_cvp. 
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Secure  Backup  Anywhere, 
Anytime 

AG  Semiconductor  employees  have  peace  of  mind 
regardless  of  location  with  Evault. 


At  any  given  moment,  AG  Semiconductor’s 
40  employees  can  be  spread  across  a  dozen 
countries,  some  with  intermittent  Internet 
connections  and  all  with  varying  bandwidth. 
With  employees  saving  most  of  their  files  to 
their  laptops,  AG  Semiconductor  needed  a 
backup  and  recovery  solution  that  would  en¬ 
sure  backup  of  its  laptops  and  servers  regard¬ 
less  of  users’  locations.  That’s  when  it  turned 
to  EVault  Express  Recovery  Appliance  SaaS. 

What  appealed  to  you  about  cloud-based 
backup  and  recovery  from  Evault? 

There  are  three  aspects.  First,  I  don’t  have 
to  deal  with  the  infrastructure.  The  entire 
infrastructure,  not  just  the  data  storage  costs, 
is  fairly  expensive  to  maintain,  and  it  has  to 
be  reliable  or  it  doesn’t  have  much  value. 
We’re  a  small  company;  our  value  is  better 
served  by  making  the  company  better  and 
not  by  making  sure  the  backup  servers  are 
continually  running. 

The  second  aspect  has  to  do  with  the  distrib¬ 
uted  nature  of  the  company.  We  have  facili¬ 
ties  in  three  countries,  with  people  operating 
in  a  dozen  different  countries  right  now. 

An  infrastructure  that  can  support  them  is 
more  expensive,  more  difficult  to  maintain 
and  very  difficult  to  implement  when  you 
don’t  have  a  local  presence.  So  we  looked  for 
someone  who  had  that  capability. 

I  also  wanted  a  solution  that  was  secured  via 
the  Internet  so  that  no  matter  where  some¬ 
one  was  in  the  world,  as  long  as  they  have  an 
Internet  connection  they  also  have  a  backup 
connection.  Most  of  the  other  technolo¬ 
gies  we  were  looking  at  were  designed  for 
environments  where  everyone  is  sitting  in 
one  office  with  a  LAN.  Companies  designing 
backup  for  the  cloud  are  designing  for  pe¬ 


riodic  connections.  It’s  a  different  dynamic 
than  designing  for  on-premise  solutions. 

How  does  EVault  help  you  achieve  your 
business  goals? 

We  send  people  around  the  world  to  work 
with  our  customers.  EVault  means  that  I 
don’t  worry  about  backup  when  someone 
goes  to  China  or  Russia.  As  long  as  employ¬ 
ees  can  get  Internet  access  for  a  small  period 
of  time,  they  are  safe.  They  don’t  have  to 
carry  an  extra  hard  drive,  and  I  don’t  have  to 
remind  them  to  backup  it  regularly.  Backup 
isn’t  a  user’s  responsibility  anymore,  it  is  au¬ 
tomatic  and  seamless.  IT  only  gets  involved 
when  there  is  a  problem. 

How  would  you  describe  your  backup  and 
recovery  before  and  after  EVault? 

Our  prior  backup  solution  worked  domesti¬ 
cally  but  very  poorly  internationally.  We’ve 
been  able  to  use  EVault  worldwide,  and  that 
has  huge  value.  Before  EVault,  the  backup 
and  recovery  process  was  cumbersome. 

With  our  previous  solution  we  had  to  use 
the  individual’s  last  backup  combined  with 
attachments  they  emailed,  combined  with 
documents  from  coworkers  and  reconstitut¬ 
ed  data.  Backup  and  recovery  wasn’t  simple 
or  streamlined.  Now  it  is— EVault  works.  We 
haven’t  had  a  single  major  problem  since 
we  rolled  it  out  to  40  laptops  and  close  to  a 
dozen  servers.  It  just  runs  and  does  its  thing. 
We’re  very  comfortable  with  it. 

What  has  your  experience  been  with 
EVault  tech  support? 

They’ve  been  absolutely  fabulous  to  work  with 
both  pre-  and  post-sale.  When  we  send  EVault 
a  question,  we  get  an  answer  quickly,  24  hours 
a  day.  A  number  of  people  on  the  support  staff 
have  helped  us  immensely  over  the  past  year. 
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GADGETS 


Toshiba’s 
USB  3.0  drive; 
winter  gloves  fo 
touch-screening 


Keith  Shaw’s 
Cool  Tools 


Shaw  can  be  reached  at 
kshaw@nww.com. 


Canvio  3.0  Plus 
external  hard  drive 


Agloves  touch¬ 
screen-enabled 
winter  gloves 

by  Agloves,  about  $18 


►  Why  it’s  cool:  Other  winter  gloves  that  attempt  this  either  have  a 
fingertip  part  that  disconnects  to  expose  your  finger  to  let  you  use 
the  touch  screen,  or  they  only  allow  for  one  or  two  fingers  (usu¬ 
ally  the  index  finger  and  thumb)  to  operate  the  screen.  With  the 
Agloves,  the  entire  glove  becomes  available  for  use,  so  you  can  oper¬ 
ate  a  phone  with  your  pinky,  or  even  the  back  of  your  hand  if  you 
like.  In  my  tests,  I  was  able  to  unlock  my  phone,  open  up  an  app  and 
even  type  some  simple  text  messages  while  using 
the  gloves.  As  long  as  the  gloves  fit  (that  is,  they 
are  tight  enough  to  form-fit  around  the  finger), 
you  should  be  able  to  type  just  fine. 


►  Some  caveats:  While  the  gloves  work  fine 
in  the  “does  it  work?”  department,  the  gloves 
are  less  warm  when  compared  with  leather  or 
thicker  gloves  (for  example,  I  wouldn’t  wear  these 
during  a  wet  snow  event  or  when  going  skiing), 
but  for  everyday  use,  they’re  fine. 


►  Grade  ★★★★* 


by  Toshiba,  about  $180  (1TB  version) 


►  What  it  is:  The  latest  external  hard  drive  from 
Toshiba  features  1TB  of  storage  capacity,  a  USB  3.0  connection  (with 
USB  2.0  support),  a  free  30-day  trial  of  cloud  backup  software,  file/ 
folder  data  encryption  (256-bit,  via  password  protection),  an  internal 
shock  sensor  to  protect  it  from  drops,  and  a  drive  space  alert  system 
that  tells  you  if  the  drive  is  full. 


►  Why  it’s  cool:  Compared  with  USB  2.0  drives,  the  USB  3.0 
interface  will  allow  for  speedier  file  data  transfers  between  your 
PC  and  the  drive  —  in  our  tests  we  achieved  between  85M-86MBps 
of  read  speeds,  and  about  53M-56MBps  of  write  speeds  —  these 
aren’t  the  fastest  I’ve  seen  with  USB  3.0  (the  upper  range  is  about 
95M-100MBps),  but  they  are  faster  than  USB  2.0  drives. 


►  Some  caveats:  No  Mac-to-Windows  integration;  while  you  can 
copy  files  from  the  drive  to  a  Mac,  you  can’t  copy  files  from  a  Mac 
to  the  hard  drive  unless  you  reformat.  Other  drives 
I’ve  tested  (Seagate,  in  particular)  include  a  driver 
that  lets  you  copy  Mac  files  to  the  Windows-based 
drive  without  reformatting. 


►  Grade  ★★★★  (out  of  five). 


►  What  they  are:  We’re  in  the  middle 
of  winter  here  in  the  Northeast, 
so  I  recently  acquired  a  pair  of 
winter  gloves  (mittens,  if  you 
want  to  get  technical)  that  let 
you  operate  a  touch-screen 
device  (smartphone  or 
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tablet)  without  removing  the  gloves.  The  Agloves  include  tiny  par¬ 
ticles  of  silver  woven  into  the  gloves  to  help  create  the  bioelectricity 
needed  to  operate  the  touchscreen. 
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Are  we  winning  the  cybersecurity  war? 


We’re  out 
ahead 


ChirantarTCJ”  Desai, 
senior  vice  president  of 
the  Endpoint  &  Mobility 
Group  at  Symantec 


WHEN  WE  ANNOUNCED  THE  DISCOV¬ 
ERY  in  October  2011  of  the  Duqu 
attack,  a  remote  access  Trojan  that 
was  a  precursor  to  a  future  Stuxnet- 
like  attack,  the  news  made  headlines 
worldwide  as  another  example  of 
just  how  sophisticated  and  insidi¬ 
ous  cyberthieves  have  become.  Add 
Duqu  to  the  other  attacks  and  data 
breaches  that  received  significant 
media  attention  in  2011  and  it  is 
understandable  why  there’s  a  grow¬ 
ing  perception  that  attackers  are  win¬ 
ning  the  cybersecurity  war,  and  that 
companies  are  helpless  to  keep  their 
information  and  interactions  safe. 

That  perception  is  incorrect.  In 
fact,  when  you  compare  the  handful 
of  successful  attacks  to  the  millions 
that  are  thwarted  every  year,  you  find  the  cybersecurity  war  is 
extremely  one-sided  in  favor  of  the  good  guys. 

I  don’t  want  to  downplay  the  significant  risks  attackers  pose  to 
organizations;  a  data  breach  can  result  in  the  loss  of  millions  of 
dollars  and  irreparable  damage  to  reputations.  The  sheer  volume 
of  attacks  is  staggering:  In  2010  alone,  Symantec  blocked  3.1  bil¬ 
lion  attacks.  That  number  is  overshadowed  by  the  few  successful 
attacks  that  receive  media  attention. 

Approximately  144,000  malicious  files  are  detected  each  day. 
This  translates  to  a  rate  of  more  than  4.3  million  each  month.  This 
war  against  malware  authors  is  constant  and  ongo¬ 
ing,  similar  to  the  ongoing  war  on  crime.  Security 
professionals  are  like  the  police  —  we  don’t  expect 
the  police  to  eradicate  crime  altogether,  but  they 
play  a  critical  role  in  preventing  criminals  from 
winning  that  war. 

That  raises  a  critical  point:  Of  those  3.1  billion 
blocked  attacks,  roughly  half  were  stopped  by 
intrusion  prevention  technologies  inside  of  the 
organizations’  endpoint  security  software  —  prov¬ 
ing  that  while  signature-based  antivirus  plays  a 
critical  role  in  preventing  threats,  it’s  no  longer  an 
exclusive  role.  Organizations  must  work  closely 
with  their  security  vendors  and  solution  providers 
to  ensure  they  have  implemented  the  latest  tech¬ 
nologies  to  mitigate  attacks.  Vendors  don’t  release 
new  versions  just  to  generate  revenue;  they  do  so 
because  their  older  technologies  become  less  effec¬ 
tive  over  time. 

Because  the  threat  landscape  is  constantly 

►  Sec  Symantec,  page  20 


We’re  losing 
the  war 


Steven  Sprague,  CEO  of 
Wave  Systems 


Are  we  winning  the 
cybersecurity  war? 

Yes -43% 


No -57% 

Cast  your  vote  and  see 
comments  at 
tlnyurl.com/8yhxppw 


SERIOUSLY,  IS  THERE  EVEN  REALLY 

any  question  about  it? 

Over  the  past  year,  the  heads  of  the 
Nuclear  Energy  Regulatory  Commis¬ 
sion  (NERC),  the  Defense  Depart¬ 
ment’s  new  Cyber  Command  and 
other  top  officials  across  government 
and  industry  have  flatly  stated  that 
they  can’t  protect  their  IT  systems 
from  unauthorized  intrusion.  U.S. 
intelligence  agencies  have  actually 
named  China  and  Russia  as  the  main 
sources  of  cyberattacks  and  alleged 
which  groups  in  China  actually  per¬ 
formed  attacks  —  diplomatic  and 
economic  consequences  be  damned. 
Cybercrime  as  an  industry  has 
posted  growth  numbers  —  the  number  and  cost  of  data  breaches, 
new  malware  and  advanced  persistent  threats  (APT),  you  name 
it  —  that  would  make  Wall  Street  drool.  What’s  more,  the  deluge 
of  news  written  about  data  breaches  represents  only  a  portion  of 
the  problem.  Current  regulations  require  reporting  the  loss  of  only 
personally  identifiable  information,  not  other  highly  valuable 
intellectual  property  such  as  sales  figures  or  product  design  data. 
That  means  data  breach  costs  are  actually  much  higher. 

Not  only  are  cyberattacks  getting  more  sophisticated,  frequent 
and  expensive,  but  our  national  addiction  to  convenience  and 
shiny  new  toys  is  making  things  worse.  Key  among  these  double- 
edged  swords  currently  cutting  us  are  cloud  and  mobile  technolo¬ 
gies  and  the  consumerization  of  IT;  we  have  gone 
from  desktops  and  BlackBerries  that  have  rela¬ 
tively  good  security  to  cloud  services  and  Apple 
and  Android  devices  that  often  don’t.  In  all  these 
cases,  we  lack  the  self-discipline  to  make  informa¬ 
tion  assurance  and  regulatory  compliance  nec¬ 
essary  preconditions  to  securely  adopting  these 
promising  technologies. 

When  we  look  at  all  these  factors,  saying  we’re 
winning  the  cybersecurity  war  becomes  ludicrous. 
If  this  is  winning,  what  would  losing  look  like? 

Our  current  IT  security  paradigm  obviously 
doesn’t  cut  it  anymore.  More  and  more,  govern¬ 
ment  and  commercial  best  practices  recommend 
adding  an  independently  managed  layer  of  hard¬ 
ware-based  protection  to  any  IT  security  portfo¬ 
lio.  Increasingly,  organizations  that  rely  solely  on 
software-based  IT  security  aren’t  bringing  even  a 
knife  to  a  gunfight  —  they’re  bringing  a  spoon. 

If  we’re  going  to  win  the  cybersecurity  war,  we 

►  See  Wave,  page  20 
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►  Symantec ,  from  page  19 

evolving,  organizations  need  to  be  able  to  quickly  and  easily 
update  their  networks  and  endpoints  with  the  latest  operating  sys¬ 
tem  and  application  patches.  Here’s  where  security  software  has 
a  distinct  advantage  over  a  hardware-assisted  security  solution, 
which  is  more  difficult  to  update.  With  more  than  286  million  new 
threats  found  last  year  alone,  previously  unknown  and  highly 
sophisticated  threats  emerge  on  a  regular  basis,  requiring  solu¬ 
tions  that  are  nimble  enough  to  react  and  effectively  thwart  them. 

New  layers  of  protection  technology  are  making  an  incredible 
impact.  Reputation-based  security  stops  mutating  malware  by 
analyzing  and  maintaining  contextual  data  for  billions  of  applica¬ 
tion  files  and  assigning  each  a  risk  score.  Complement  this  with  a 
layer  of  real-time  behavioral  prevention  to  thwart  targeted  attacks. 
Additionally,  policy-based  intrusion  prevention  solutions  pro¬ 
vide  solid  defense  for  business-critical  server  workloads,  without 
impacting  performance.  Each  new  technology  steps  up  to  meet  the 
latest  attacker  challenge. 

This  comprehensive  and  effective  approach  gives  organizations 
the  freedom  to  choose  best-in-class  solutions  and  provides  the 
speed  and  agility  needed  to  respond  to  today’s  rapidly  emerging 
security  threats. 

The  onus  is  on  security  professionals  to  continually  evalu¬ 
ate  and  update  security  postures  to  keep  up  with  the  bad  guys. 
Advances  made  to  technologies  that  used  to  be  thought  of  as  “nice- 
to-have,”  like  DLP,  encryption,  intrusion  prevention  and  reputa¬ 
tion-based  security,  are  making  it  much  harder  for  the  bad  guys 
to  get  in  and  get  stuff  out.  While  it  may  be  impossible  to  win  the 
cyberwar,  we  are  at  least  staying  out  ahead.  ■ 

Symantec  is  a  global  leader  in  providing  security,  storage 
and  systems  management  solutions  to  help  consumers  and 
organizations  secure  and  manage  their  information-driven  world. 


►  Wave,  from  page  19 

have  to  move  to  a  global  “zero  tolerance”  policy  for  cybercrime  and 
data  breaches.  Enacting  a  zero  tolerance  policy  must  start  in  govern¬ 
ment  and  industry  board  rooms  and  be  pushed  through  public  and 
private  sector  research,  education  and  regulation.  Key  steps  include: 

■  Every  vendor  needs  to  build  in  security  by  design  (no  more 
taping  air  bags  to  the  dashboard)  and  the  enterprise  needs 
to  invest  in  upgrading  its  security  with  built-in  solutions. 

This  includes  paying  real  attention  to  information  assurance 
instead  of  lip  service,  and  rapidly  implementing  technologies 
known  to  counter  evolving  threats,  such  as  Trusted  Platform 
Modules  (TPM)  and  device-based  identity. 

■  We  need  to  strengthen  data  breach  notification  laws  to  require 
disclosure  and  the  penalties  for  noncompliance  must  be 
severe  enough  to  make  companies  take  notice. 

■  Government  and  industry  alike  must  quit  debating  game 
plans  and  org  charts  and  implement  a  shared  strategy.  We 
need  to  stop  arguing  about  who  deserves  a  first-class  cabin  on 
a  sinking  ship  and  start  getting  serious  about  fixing  leaks. 

■  Likewise,  government  and  industry  should  uphold  the 
National  Strategy  for  Trusted  Identities  in  Cyberspace 
(NSTIC),  which  will  create  an  “Identity  Ecosystem”  where 
people  can  choose  among  approved  public  and  private  suppli¬ 
ers  of  trusted  credentials  that  prove  their  identity. 

We’re  losing  this  war  for  cybersecurity,  but  we  know  how  to  win. 
We’ve  got  to  ask  ourselves:  What  are  we  prepared  to  do?  ■ 

Wave  Systems  is  a  leading  provider  of  client  and  server  software 
for  hardware-based  digital  security,  enabling  organizations  to 
know  who  is  connecting  to  their  critical  IT  infrastructure,  protect 
corporate  data,  and  strengthen  the  boundaries  of  their  networks. 

©  Send  Debate  Suggestions  to  jdix@nww.com 


The  arms  race 

®  Mr.  Desai’s  commentary  is  interest¬ 
ing  for  many  of  the  reasons  Mr.  Sprague 
notes.  Essentially,  every  successful  attack 
is  a  lost  battle  independent  of  the  status 
of  the  “war."  Successfully  remediating  an 
attack  after  the  fact  still  means  the  attack 
succeeded  (even  if  it  was  “minor");  mil¬ 
lions  stolen,  infrastructures  taken  down, 
identities  or  proprietary  data  lost,  etc. 

A  better  term  for  this  “war"  might  be 
“arms  race."  Whoever  gets  the  ultimate 
weapon  first  (or  has  the  most  diverse 
stockpile)  will  ultimately  win  —  and  until 
that  time,  sitting  back  happy  in  the  knowl¬ 
edge  that  the  successful-to-unsuccessful 
ratio  remains  in  your  favor  is  short-sighted. 

There  is  a  growing  number  of  technolo¬ 
gies  being  developed  and  deployed  that 
can  “see"  the  attack  coming  before  it 
strikes,  and  these  need  to  be  a  much  more 
significant  aspect  of  the  "war"  strategy 


going  forward.  That,  and  removing  the  un¬ 
necessary  obstacles  to  getting  them  out  in 
the  places  they  need  to  be  in  order  to  stay 
ahead  of  the  bad  guys.  DAVIDMPOFF 

Who  is  winning? 

©  I  guess  it’s  all  in  how  you  look  at  it.  If 
we  successfully  thwart  99%  of  all  at¬ 
tempted  cyberattacks,  is  that  considered 
winning  the  cyberwar?  If  just  1%  of 
attempted  cyberattacks  are  successful, 
you  immediately  have  to  ask,  “How  much 
damage  resulted  from  the  attack?”  I  just 
don’t  think  it's  as  simple  as  blocking  a 
certain  number  of  attacks  versus  allowing 
a  certain  number  of  attacks.  It’s  all  in 
the  severity  of  the  result.  BRAD1505 

Security  is  too  reactive 

©  While  I  agree  that  we’ve  seen  good 
progress  with  only  a  handful  of  success¬ 


ful  attacks  compared  to  the  millions  that 
are  thwarted  every  year,  I  find  it  hard  to 
view  that  as  validation  we’re  winning  the 
war.  How  many  attacks  go  unreported  or 
undiscovered?  And  how  much  damage 
is  done  by  those  attacks  that  succeed? 

We  increasingly  rely  upon  digital 
infrastructure,  and  security  is  too  often 
reactive,  meant  to  minimize  threats.  Most 
security  audits  show  glaring  weaknesses, 
and  it’s  not  enough  to  patch  only  the  is¬ 
sues  ranking  highest  on  the  threat  charts. 

We  need  to  be  more  proactive  with  se¬ 
curity  —  building  it  directly  into  hardware 
and  providing  more  layers  of  defense. 
Security  is  one  of  few  areas  where  I  agree 
MORE  regulatory  oversight  is  necessary, 
with  greater  penalties  to  force  adoption 
of  stronger  security.  There  will  never  be  a 
true  victory  in  the  cybersecurity  war.  and 
those  fighting  on  the  front  lines  need  more 
budget,  innovation  and  support  to  miti¬ 
gate  the  damage.  MICHAEL  SCHULTZ 
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Network  World's  forum  on  Linkedln  is  the  place  for 
network  and  IT  professionals  to  offer  each  other  advice 
and  discuss  the  networking  news  of  the  day.  Network 
World  editors  are  on  hand  to  ensure  that  the  group 
remains  free  of  spam  and  vendor  spin,  and  to  give  their 
take  on  what's  important  in  networking.  Occasionally, 
they'll  poll  the  group  on  controversial  issues  and  you 
can  make  your  voice  heard. 

Ask  a  question.  Post  a  job  listing.  Connect  with 
peers.  Join  Today! 


www.networkworld.com/linkedin 


CLEAR  CHOICE  TEST:  IPV6ENABLED  APPLICATION  DELIVERY  CONTROLLERS 

IPv6  deployment  starts  at  network  edge 

6  ADCs  deliver  IPv6  capabilities  to  apps  hosted  on  IPv4  Web  servers 


BYSCOTTHOGG 

IT  execs  know  they  will  have  to  deploy 
IPv6  at  some  point,  but  where  to 
begin?  One  approach  that  establishes 
some  IPv6  capability  without  spend¬ 
ing  a  lot  of  time  or  money  is  to  start  at 
the  perimeter. 

IPv6-enabling  routers,  firewalls  and  DNS 
servers  should  be  straightforward.  If  an 
organization  were  to  deploy  an  IPv6-capable 
server  load  balancer  (SLB)  or,  using  the  most 
current  term,  application  delivery  controller 
(ADC),  they  could  configure  an  IPv6  virtual 
IP  (VIP)  and  an  IPv4-only  server  farm. 

This  would  allow  Web  apps  hosted  on 
IPv4-only  servers  to  appear  to  the  Internet 
user  as  IPv6  applications.  The  way  it  works 
is  that  clients  would  connect  to  the  IPv6  VIP, 
and  the  ADC  would  perform  a  reverse-proxy 
function  and  terminate  the  IPv6  HTTP  Inter¬ 
net  connection,  then  create  a  new  IPv4  HTTP 
back-end  connection  to  the  IPv4-only  appli¬ 
cation  servers.  The  server  would  not  neces¬ 
sarily  know  the  IP  version  being  used  by  the 
client  and  it  would  happily  return  the  data 
to  the  ADC  appliance  using  IPv4.  The  ADC 
appliance  takes  that  IPv4  response  from  the 
server,  copies  the  HTTP  application  data  and 
transmits  it  back  to  the  IPv6-connected  client. 
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We  tested  the  IPv6  capabilities  of  the  major 
ADC  vendors’  products:  AlO  Networks,  Bro¬ 
cade,  Cisco,  Citrix,  F5  and  Riverbed/Zeus.  We 
tested  all  of  the  IPv6  features  that  these  ven¬ 
dors  fisted  on  their  data  sheets  and  determined 
that  all  of  these  systems  are  suitable  for  aiding 
in  an  Internet  edge  IPv6  deployment  scenario. 

One  piece  of  good  news:  The  ADC  your 
company  already  owns  may  have  IPv6  capa¬ 
bilities.  It  could  be  as  simple  as  a  software 
upgrade  and  you  would  have  an  IPv6-capa- 
ble  reverse  proxy  server  that  could  help  accel¬ 
erate  your  IPv6  Internet  edge  deployment. 

Long  list  of  features 

ADCs  can  provide  a  wide  variety  of  IPv6 
capabilities.  Most  of  the  products  tested  had 
these  features: 

■  IPv4/IPv6  server  load  balancing 
(reverse  proxy),  IPv6  VIP  with  IPv4  or 


dual-protocol  real-servers/server-farms 

■  SSL  offload  and  acceleration  for  IPv6 
VIPs  and  servers 

■  Ability  to  perform  content  filtering, 
regular  expression  matching  and  URL 
rewriting  for  IPv6  connections 

■  IPv6-capable  Web  application  firewall 
(WAF) 

■  IPv6-enabled  security  features  (distrib¬ 
uted  denial-of-service  [DoS]  protection, 
SYN-cookies,  IPS,  content  filtering) 

■  Stateful  access  control  fists  (ACL)  or 
IPv6  packets,  ICMPv6  filtering,  exten¬ 
sion  header  filtering  and  denial  of  RHO 
packets 

■  High  availability  for  IPv6  connections 

■  Logging  of  IPv6  connections 

■  Ability  to  check  the  IPv6  neighbor  cache 
entries 

■  IPv6  static  routing 

■  There  are  also  some  nice-to-have  optional 
features: 

■  IPv6-enabled  geographical  server  load 
balancing  (GSLB) 

■  Authoritative  dual-protocol  DNS  server 

■  Stateful  NAT64  capabilities 

■  DNS64  integration  with  NAT64 

■  IPv6  routing  protocol  support  (static 
routing,  RIPng,  OSPFv3,  IS-IS  [ST  and 
MT],  MP-BGP,  RHI) 


FEATURESCOMPARISON 


Company 

AlO  Networks 

Brocade 

Cisco 

Citrix 

F5 

Riverbed 

Product 

AX2500  Version 
2.6.1  and  2.6.6 

ADX 

1216-4-SSL-PREM 

ACE-4710-01-K9 
Version  A5(l.l) 

NetScaler  MPX7500 
Version  9.3-52.3 

F5-BIG-3900- 
E-R  Version  11.1 

Stingray  4000 
VH  Version 

8.0r0 

Price 

$24,995 

$45,995 

$29,995 

$22,000 

$52,995  plus 
$23,990 

$63,000 

6-to-6, 6-to-4  SLB 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

SSL  offload 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

NAT64/DNS64 

NAT64  but  no 
DNS64  —  Infoblox 

NAT64  but  no 

DNS64  —  Secure64 

No 

No 

No 

No 

IPv6  GSLB 

Yes 

Yes 

No  -  GSS  4492 
separate  product 

Yes 

Yes 

Yes 

IPv6  WAF 

No 

No 

No 

Yes 

Couldn’t  test  it 

No 

LSN/DS-Lite/6rd 

Yes 

LSN  but  no 

DS-Lite  or  6rd 

No 

No 

No 

No 

IPv6  routing 

Yes 

Yes 

No 

No 

No 

No 

IPv6  mgmt. 

Yes 

Yes 

No 

Yes 

Yes 

No 

Installation 

5 

4 

5 

4 

3 

5 

Feature  set 

5 

4 

2 

4 

4 

3 

Manageability 

5 

5 

4 

4 

3 

5 
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Microsoft 


Email  accounts  that  set  up  in  minutes. 
Controlled  document  access. 
Automatic  data  safeguards  and  backups. 

It  all  works  together. 


Introducing  Microsoft  Office  365.  Collaborate 
in  the  cloud  with  Office,  Exchange,  SharePoint, 
and  Lync  videoconferencing.  Starting  as  low 
as  $10  per  user  per  month.  Begin  your 
free  trial  now  at  Microsoft.com/office365 


Scan  tag  with  a  smart¬ 
phone  to  learn  about 
the  Office  365  free  trial. 

Download  the  free 
scanner  app  at 
http://gettag.mobi 


Microsoft4 


do  Office  365 
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■  Management  with  IPv4  and  IPv6 

There  are  also  IPv6  features  that  apply  to 

ISPs  or  large-scale  data  center  companies: 

■  Large  scale  NAT  (LSN),  carrier  grade 

NAT  (CGN),  NAT444 

■  6rd  (IPv6  rapid  deployment)  border  relay 

■  Dual-Stack  Lite  (DS-Lite)  AFTR 

Many  of  these  features  have  crept  into 
ADC  products  over  several  years.  Some  are 
included  as  part  of  the  base  licensing,  but  be 
aware  that  some  vendors  may  charge  a  pre¬ 
mium  for  these  IPv6  feat  ures. 

We  set  up  a  testing  environment  that  mim¬ 
icked  a  typical  Internet  edge  environment.  We 
had  an  IPv4-only  perimeter  and  we  enabled  it 
for  IPv6.  We  performed  testing  from  the  per¬ 
spective  of  an  IPv6-enabled  Internet  user  try¬ 
ing  to  establish  connectivity  to  an  IPv4-only 
Web  server.  We  also  tested  NAT64  function¬ 
ality  where  an  IPv6-only  client  may  be  trying 
to  reach  IPv4  Internet  content. 

We  tested  each  of  these  six  ADCs  and  found 
that  they  were  all  capable  of  basic  IPv4  and 
IPv6  server  load  balancing  with  SSL  offload. 
We  found  that  the  support  for  IPv6  manage¬ 
ment,  IPv6  routing  and  service-provider 
IPv6  features  varied  quite  widely  among  the 
vendors’  solutions.  We  found  that  all  of  these 
products  would  be  suitable  in  an  enterprise 
Internet  perimeter  environment  and  would 
aid  in  the  transition  to  IPv6. 

Here  are  the  individual  reviews: 

A10  Networks  AX2500: 

Highly  scalable,  feature-rich, 
lacks  Web  app  firewall 

A10  first  started  supporting  IPv6  in  its  AX 
series  in  2007.  Since  then,  A10  has  fully 
embraced  IPv6.  Today,  A10  offers  two  ver¬ 
sion  of  its  software:  one  (2.6.1)  for  IPv6  SLB 
and  one  (2.6.6)  for  NAT64/DNS64/DS- 
Lite/6rd  and  LSN,  also  known  as  CGN  or 
NAT444  (IPv4  preservation). 

A10  also  has  a  SoftAX  virtual  appliance  for 
lab  or  production  environments.  We  tested 
an  AX2500  which  lists  for  $24,995,  however, 
A10  has  appliances  that  range  from  $15,995 
to  $215,000  and  its  SoftAX  virtual  appli¬ 
ance  can  cost  between  $995  and  $24,995.  The 
great  thing  is  that  all  of  the  AX  features  are 
included  without  additional  license  fees. 

The  A10  Networks  AX  series  of  ADCs  has 
many  IPv6  features  including  IPv4/IPv6 
SLB  with  SSL  offload  and  GSLB  over  IPv6. 
The  AX  can  perform  syslog  for  IPv6  connec¬ 
tions  using  aFleX  Tel  scripts.  The  AX  also 
allows  ping  and  management  access  using 
SSH,  HTTP/HTTPS,  SCP  and  SFTP  over 
IPv6  transport. 

Unfortunately,  there  are  no  IPv6  WAF 
capabilities  in  this  version,  but  A10 


If  ■+»  esss  nss  iss§ 

The  A10  AX2500  is  highly  scalable. 


appliances  can  integrate  with  other  market¬ 
leading  WAFs  such  as  Imperva.  We  found 
that  the  A10  does  provide  other  security 
features  like  protocol  checking  for  HTTP, 
HTTPS  and  DNS,  distributed  DoS  protec¬ 
tions,  rate  limiting  and  ACLs. 

Our  testing  determined  that  A10  supports 
static  IPv6  routes  and  dynamic  routing  pro¬ 
tocols  for  IPv6.  The  A10  can  be  configured  for 
RIPng,  OSPFv3,  IS-IS  and  BGP. 

AlO’s  SoftAX  virtual  appliance  can  help 
support  an  organization’s  cloud  computing 
and  virtualization  goals.  The  A10  AX  appli¬ 
ances  also  support  multi-tenancy  and  virtual 
chassis  configurations. 

AX  appliances  have  extensive  scalability 
due  to  their  64-bit  architecture  and  their 
Advanced  Core  Operating  System  (ACOS). 
However,  scalability  may  not  be  a  concern  for 
enterprises  that  may  initially  have  low  IPv6 
traffic  volumes. 

The  A10  Networks  systems  also  provide 
service-provider  features  such  as  NAT64 
and  DNS64.  The  2.6.6  software  can  be  con¬ 
figured  for  NAT64  with  DNS64,  but  there 
is  also  a  documented  Infoblox  integration  of 
DNS64  for  AlO’s  NAT64  configurations.  The 
LSN,  DS-Lite,  6rd,  NAT64/DNS64  scalability 
of  these  appliances  makes  them  attractive  to 
service  providers.  In  fact,  the  AlOs  compete 
well  with  more  costly  heavy-iron  solutions 
from  the  large  router  vendors. 

Brocade  Serverlron  ADX  delivers 

Brocade  acquired  Foundry  Networks  in  2008 
and  Brocade  has  continued  innovating  its 
routers,  switches  and  server  load  balancers. 
Brocade  first  started  adding  IPv6  features  to 
the  Serverlron  ADX  platform  in  Version  11.0 
and  has  continued  to  add  IPv6  features  to  this 
ADC.  We  tested  a  Brocade  Serverlron  ADX 
1216-4-SSL-PREM  running  Version  12.3.1 
and  the  latest  software  Version  12.4.00T405, 
which  has  a  list  price  of  $45,995. 

This  system  has  the  premium  license, 
which  includes  Layer  3  routing,  IPv6,  GSLB 
and  an  additional  license  for  SSL  offload. 
Brocade  very  recently  came  out  with  this 
new  software  that  adds  to  the  number  of 
available  IPv6  features.  One  item  of  note  is 
that  Brocade  has  a  “pay-as-you-grow”  licens¬ 
ing  model  and  licenses  the  ADXs  based  on 
the  software  features,  number  of  processors 
and  bandwidth  you  require.  Therefore,  to 
get  IPv6  capability  on  the  ADX  you  must 


purchase  the  premium  license. 

The  ADX  supports  IPv4  and  IPv6  server 
load  balancing  as  a  reverse  proxy  server. 
VIPs  can  use  either  IPv4  or  IPv6  addresses 
and  have  either  IPv4  or  IPv6  real  servers. 
Brocade  has  completely  rewritten  its  IP  stack 
to  accommodate  and  streamline  IPv6.  How¬ 
ever,  our  testing  revealed  that  its  system  only 
supports  SSL  offload  for  IPv4  VIPs  using 
IPv4  real  servers  or  IPv6  VIPs  using  IPv6 
real  servers.  In  software  release  12.4,  the  ADX 
will  be  able  to  perform  SSL  offload  for  IPv6 
VIPs  using  IPv4  real  servers  and  mixed  pro¬ 
tocol  server  farms. 

We  set  up  the  ADX  and  configured  Web 
management  over  IPv6,  and  we  also  entered 
IPv6  addresses  into  the  configuration 
through  the  Web  GUI.  We  used  SSH  over 
IPv6  transport  and  SNMP  worked  over  IPv6. 
Syslog  did  not  work  for  IPv6  syslog  servers, 
but  IPv6-related  log  messages  can  be  sent  to 
an  IPv4  syslog  server. 

The  ADX  also  supports  a  wide  variety  of 
IPv6  routing  protocols  including  0SPFv3, 
IS-IS  (single-topology  or  multi-topology)  and 
MP-BGP. 

The  ADX  offers  IPv6  security  features 
and  allows  you  to  configure  complex  IPv6 
access-lists.  The  ADX  now  supports  SYN- 
Proxy  (SYN-cookies)  for  IPv6  traffic  and  set¬ 
ting  the  MSS  works  for  IPv4  or  IPv6  pack¬ 
ets.  We  found  that  other  features  such  as 
distributed  DoS  protection,  IPS  and  content 
filtering  are  also  IPv6-capable.  However,  the 
Brocade  Serverlron  does  not  have  an  IPv6- 
capable  WAF. 

The  Serverlron  ADX  can  act  as  an  authori¬ 
tative  dual-protocol  DNS  server,  function  as 
a  DNS  proxy  server  and  perform  IPv4  and 
IPv6  GSLB. 

The  Brocade  ADX  supports  NAT64  in  the 
same  software  and  hardware,  but  it  is  config¬ 
ured  in  a  different  operating  mode  from  tradi¬ 
tional  SLB  functions.  Our  testing  determined 
that  you  cannot  have  a  single  ADX  appliance 
function  as  a  NAT 64  system  and  a  server  load 
balancer  at  the  same  time. 

The  ADX  has  capabilities  for  IPv6-only  or 
IPv4-only  clients.  The  Brocade  Serverlrons 
can  perform  LSN)/CGN)/NAT444,  but  do 
not  currently  support  6rd  or  DS-Lite. 

Cisco  ACE:  features  are  limited 

The  Cisco  Application  Control  Engine  (ACE) 


©  Read  how  IPv6  dual-stack 
strategy  starts  at  the  perim¬ 
eter.  tinyurl.com/7oapjmy 
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has  been  available  for  many 
years  in  many  forms  but  only 
a  few  months  ago  did  the  Cisco 
ACE  begin  to  support  IPv6. 

ACE  software  release  AS  (1.1) 
runs  on  the  ACE30  module  for 
a  Cisco  6SOO  switch  and  the 
ACE4710  appliance.  Unfor¬ 
tunately,  customers  that  have 
invested  in  ACE10  or  ACE20 
modules  will  not  be  able  to 
use  this  version  and  will  face 
hardware  upgrades  to  support 
IPv6.  There  are  ACE10/20 
to  ACE30  upgrades  available 
for  $30,000.  The  device  that 
we  tested  was  the  ACE-4710- 
01-K9  running  software  Ver¬ 
sion  A5  (1.1),  which  has  a  list 
price  of  $29, 995. 

Cisco  ACE  modules  and 
appliances  have  licensing 
that  allows  the  upgrade  of  the 
performance  of  the  units,  the 
number  of  SSL  connections 
and  number  of  virtual  con¬ 
texts.  There  is  no  additional 
charge  for  IPv6  support  on 
the  ACE.  If  you  are  familiar 
with  configuration  of  Cisco  devices  using 
contexts  then  you  will  feel  right  at  home 
with  this  system. 

The  Cisco  ACE  performed  server  load  bal¬ 
ancing  for  IPv6  VIPs  with  IPv6  real  servers 
and  IPv6  VIPs  with  IPv4  real  servers.  We 
easily  configured  IPv6  health  probes  and 
the  Layer  4/Layer  7  policies  and  SSL  offload 
work  for  IPv6  connections.  HTTP/HTTPS 
and  DNS  inspection  (application  aware¬ 
ness)  work  for  native  IPv6-IPv6  traffic.  The 
ACE  allowed  us  to  configure  IPv6  ACLs  and 
perform  packet  capture  of  IPv6  packets.  The 
ACE  has  IPv6  security  features  and  it  can 
filter  extension  headers  and  perform  frag¬ 
mentation  inspection,  IPv6  ICMP-guard, 
IPv6  normalization  and  IPv6  Unicast-RPF 
checking.  The  ACE  can  act  as  a  DHCPv6  relay 
and  can  either  send  routing  advertisements 
on  its  Ethernet  interfaces  or  suppress  them. 
In  the  ACE,  fault  tolerance  is  not  supported 
over  IPv6  but  it  can  track  IPv6  connectivity 
and  use  IPv6  alias  addresses  on  its  interfaces. 

The  ACE  does  have  some  limitations.  It 
does  not  support  IPv6  dynamic  routing 
protocols,  but  it  does  have  IPv6  static  rout¬ 
ing  and  IPv6  Route  Health  Injection  (RHI). 
The  ACE  does  not  have  stateful  NAT64  with 
or  without  DNS64.  We  could  not  configure 
IPv6  transport  for  management  protocols 
(SSH,  Telnet,  SNMP,  HTTP/HTTPS)  but 
IPv6  MIB  values  are  available  for  SNMP 


IPv6  application 
delivery  controllers 

With  an  IPv6  ADC,  a 
network  manager  can  begin 
deploying  IPv6  at  the 
network  edge.  In  this 
example,  IPv4-only  Web, 
email  and  DNS  servers  are 
able  to  connect  with 
IPv6-connected  clients. 
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query  over  IPv4  transport. 

We  were  able  to  perform  IPv6  configura¬ 
tion  through  the  Web  GUI,  but  it  is  only  acces¬ 
sible  over  IPv4.  We  could  ping  the  ACE  using 
ICMPv6  and  could  send  syslog  messages  with 
IPv6  addresses  in  them.  The  ACE  GSS  4492 
does  have  IPv6  support  for  GSLB.  However,  in 
August  2011,  Cisco  announced  end  of  sales  for 
its  ACE  WAF  so  it  will  never  be  IPv6-capable. 

Citrix  NetScaler:  Fully  featured 

NetScaler  has  supported  IPv6  for  more  than 
seven  years.  IPv6  capabilities  are  available  in 
the  platinum,  enterprise  and  standard  edi¬ 
tion  feature  sets  and  now  IPv6  comes  enabled 
by  default  for  no  additional  cost.  We  tested 
using  a  Citrix  NetScaler  MPX7500  running 
software  Version  9.3-52.3  that  costs  $22,000. 
In  addition  to  Citrix’s  hardware  appliances, 
the  company  offers  a  virtual  appliance  called 
the  NetScaler  VPX. 

It  was  easy  to  configure  IPv6  addresses 
on  interfaces  and  VLANs  through  either  a 
command  line  interface  (CLI)  or  the  GUI. 
The  NetScaler  supports  configuring  IPv6 
VIPs  with  IPv6  or  IPv4  services.  SSL  offload 
worked  for  IPv6  and  health  probes  operate 
over  IPv6.  Content  switching  worked  for 
IPv6  connections  and  regular  expressions 
could  be  created  using  IPv6  addresses.  URL 
rewriting  also  worked  for  IPv6  VIPs.  We 
could  configure  IPv6  for  RADIUS  servers. 


TACACS+  servers,  LDAP  servers, 
syslog  servers  and  DNS  servers. 

The  NetScaler  can  be  an 
authoritative  DNS  server  for  IPv6 
AAAA  address  records,  which  is 
important  for  the  GSLB  function¬ 
ality.  IPv6-capable  DNS  services 
help  make  GSLB  work  for  IPv6 
addresses.  High  availability  could 
also  use  IPv6  addresses.  We  could 
create  traffic  filters  that  contain 
IPv6  addresses  and  IPv6  ACLs 
were  easy  to  configure.  We  could 
manage  the  NetScaler  over  IPv6 
transport  and  there  are  IPv6-spe- 
cific  MIBs/OIDs  for  the  NetScaler 
that  we  could  query  over  IPv6 
SNMP.  We  were  also  able  to  cre¬ 
ate  custom  log  formats  using  IPv6 
source/destination  addresses  and 
v-server  address. 

The  built-in  Web  application 
firewall  helps  secure  IPv4  and 
IPv6  services  from  attacks.  Poli¬ 
cies  can  be  created  and  applied 
to  IPv6  applications  just  as  eas¬ 
ily  as  for  IPv4  applications.  The 
NetScaler  software  allows  for 
the  configuration  of  static  IPv6 
routes,  and  we  also  configured  OSPFv3  and 
RIPng  in  the  IP  Infusion  ZebOS  Cisco-like 
interface.  The  NetScalers  have  IPv6  NAT, 
inbound  network  address  translation  (INAT) 
and  prefix-translation  capabilities.  The 
NetScalers  also  support  NAT64  and  DNS64. 
The  Citrix  NetScaler  also  has  IPv6  SSL  VPN 
“Access  Gateway”  services. 

F5  Big-IP:  Easy  to  customize 

F5  has  supported  IPv6  in  its  BIG-IP  ADC 
products  for  several  years.  The  device  we 
tested  was  the  BIG-IP  3900  Local  Traffic 
Manager  Enterprise  Edition,  which  has  a 
list  price  of  $52,995.  This  unit  also  includes 
the  Global  Traffic  Manager  module,  for  an 
additional  $23,990.  We  tested  using  BIG-IP 
software  Version  11.1.0  Build  1943.0.  The 
F5  hardware  architecture  combines  x86_64 
processors  and  FPGAs/network  processors 
to  provide  performance  and  flexibility. 

It  was  relatively  easy  to  configure  the  unit 
with  IPv6  addresses  for  self  IPs.  It  was  easy  to 
use  the  GUI  to  configure  IPv6  VIPs  for  IPv4 
or  IPv6  application  servers.  F5  supports  IPv6 
static  and  dynamic  routing  through  the  IP 
Infusion  ZebOS  configuration  CLI,  although 
we  had  difficulties  getting  router  adjacen¬ 
cies  configured.  The  BIP-IP  supports  route 
domains  (like  virtual  routers)  and  adminis¬ 
trative  partitions  (multi-tenancy)  and  virtual 
clustered  multiprocessing  (vCMP)  (running 
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CLEAR  IP V6-ENABLED  APPLICATION  DELIVERY  CONTROLLERS 

CHOICE 

TEST 


How  to  shop  for  application  delivery  controllers 

The  difference  among  application  delivery  controllers  is  the  way  they  can  be 
integrated  into  your  organization’s  network  topology.  Most  organizations  may 
deploy  a  server  load  balancer/ADC  in-line  as  a  Layer-3  reverse-proxy-server. 
This  configuration  requires  public/global  addresses  on  the  external  interface 
and  private  addresses  on  the  internal  interface.  On  the  back  end,  IPv4  servers  use 
RFC1918  IPv4  addresses,  but  with  IPv6  it  is  not  necessary  to  use  private  unique 
local  addresses  for  the  internal  networks.  ADCs  that  operate  this  way  are  fully  state¬ 
ful  and  perform  TCP  normalization  and  traffic  inspection,  which  benefits  security. 

Other  products  may  operate  virtually  in-line  as  a  proxy  server,  but  not  be 
directly  in  the  traffic  path.  These  solutions  may  require  the  use  of  source-NAT  or 
Policy-Based  Routing,  or  act  as  the  server’s  default  gateway  to  force  the  traffic 
through  the  ADC.  These  products  can  allow  Direct  Server  Return  and  may  lack 
stateful  awareness  of  the  connections. 

Other  systems  may  operate  at  Layer  2  and  create  a  bridge  between  two  virtual 
LANs  or  subnets.  These  products  may  use  a  bridged  virtual  interface  or  proxy 
and/or  source-NAT  to  get  the  traffic  to  go  through  the  appliance. 

There  are  also  more  products  being  offered  as  a  virtual  appliance  at  the 
hypervisor  layer.  The  server  VMs  use  the  virtual  appliance  as  their  proxy-server 
or  default  gateway.  Many  organizations  prefer  virtual  appliance  solutions  because 
they  are  easy  to  test  and  can  be  deployed  quickly. 

Another  feature  that  is  important  is  URL  rewriting.  If  the  external  FQDN  for 
the  IPv6  website  is  different  than  the  IPv4  internal  Web  application’s  embedded 
links,  then  those  links  will  need  to  be  rewritten  to  the  IPv6-FQDN.  This  feature  will 
ensure  that  the  site  does  not  automatically  fall  back  to  the  IPv4-embedded  links 
and  keeps  the  client  believing  that  the  entire  site  is  reachable  over  IPv6. 

—  Scott  Hogg 


different  software  versions  simultaneously 
on  their  chassis  hardware). 

The  documentation  mentioned  that  you 
must  configure  radvd  for  IPv6  support.  How¬ 
ever,  we  found  that  you  do  not  need  to  config¬ 
ure  radvd  unless  you  need  the  BIG-IP  to  act 
like  a  default  gateway  router.  In  other  words, 
if  you  want  computers  that  are  directly  con¬ 
nected  to  the  F5  to  hear  the  router  advertise¬ 
ment  ICMPv6  messages  from  the  F5,  then  you 
must  configure  radvd  through  CLI . 

We  configured  the  Web  management  inter¬ 
face  to  use  over  either  IPv4  or  IPv6,  but  it  can¬ 
not  do  both  simultaneously.  The  self  IPs  were 
reachable  using  IPv6  and  SSH,  and  the  F5  did 
allow  for  remote  management  of  the  system 
using  IPv6  using  SNMP  vl/v2c/v3. 

One  of  the  powerful  features  of  F5  LTMs 
is  the  iRules  event-drive  scripting  language 
that  allows  the  administrator  to  customize 
how  application  traffic  is  handled.  iRules  can 
be  configured  for  matching  on  IPv6  addresses. 

The  latest  version,  11.1,  now  has  IPv6  support 
for  the  Application  Security  Manager  (WAF). 
This  operating  mode  on  the  BIG-IP  hardware 
should  provide  HTTP  protocol  inspection  to 
protect  IPv6  Web  applications,  however,  we 
were  not  able  to  get  this  configured. 

F5  also  sells  a  virtual  appliance  called  the 
BIG-IP  Local  Traffic  Manager  (LTM)  Virtual 
Edition  (VE),  which  can  be  an  IPv6  load  bal¬ 
ancing  gateway  with  NAT64/DNS64  support. 

Riverbed  Stingray  Traffic 
Manager:  Easy  to  set  up 

Zeus  Technology,  which  has  been  in  business 
since  1995,  released  a  virtual  ADC  appliance 
in  2004  and  added  IPv6  support  to  Zeus 
Traffic  Manager  in  2008.  Last  year  Riverbed 
acquired  Zeus,  and  now  the  virtual  ADC  sys¬ 
tem  is  called  the  Stingray  Traffic  Manager. 

Stingray  Traffic  Manager  Version  8.0  was 
released  on  Oct.  25,  with  Version  4.1  of  the 
Stingray  Application  Firewall  now  built 
into  the  Traffic  Manager  software  distribu¬ 
tion.  Pricing  for  the  Riverbed  Stingray  Traffic 
Manager  8.0  starts  at  $5,500  and  goes  up  to 
$63,000  for  the  4000VH. 

The  Stingray  Traffic  Manager  was  very 
easy  to  set  up  as  a  virtual  machine  (VM). 
Nothing  needed  to  be  configured  on  the  CLI 
of  the  virtual  appliance.  The  only  time  we 
used  the  CLI  was  to  gracefully  shut  down  the 
system.  All  other  administrative  tasks  were 
performed  with  a  Web  browser  to  connect  to 
the  management  interface  IP  address. 

Configuration  was  very  simple  and  in  just  a 
few  clicks  we  had  IPv4-to-IPv4,  IPv6-to-IPv6 
or  IPv6-to-IPv4  load  balancing  configured. 
The  interface  is  intuitive  enough  that  you 
may  even  be  able  to  resist  the  urge  to  read  the 


manual  and  still  configure  it  successfully.  It 
was  trivially  easy  to  configure  IPv4  and  IPv6 
front-end  and  back-end  servers  and  services 
and  IPv6-enabled  SSL  offload.  Anywhere  we 
could  configure  an  IPv4  address  we  could 
configure  an  IPv6  address  instead.  We  found 
that  if  we  configured  a  full  qualified  domain 
name  (FQDN),  then  it  performed  an  IPv4 
DNS  lookup  first,  but  if  that  fails  then  it  used 
the  IPv6  address  returned  by  DNS.  The  Sting¬ 
ray  Traffic  Manager  does  not  support  stateful 
NAT64  but  it  does  function  as  a  proxy  for 
IPv4  and  IPv6  connections.  Stingray  Traf¬ 
fic  Manager  Version  8.0  does  not  support  IP 
transparency  for  IPv6  back  ends  or  clients. 

The  Stingray  supports  TrafficScripts, 
which  can  be  used  for  advanced  traffic  han¬ 
dling  or  for  preventing  distributed  DoS 
attacks.  We  even  successfully  tested  the 
Stingray  Traffic  Manager  ZeusBench,  which 
is  a  built-in  IPv4/IPv6  traffic/server  testing 
system.  Information  exchanged  between  traf¬ 
fic  managers  or  clusters  is  done  over  IPv4  and 
heartbeat  messages  use  only  IPv4  packets. 

The  Stingray  Application  Firewall,  the 
Application  Firewall  Module  (AFM),  does  not 
support  IPv6.  Also  the  GSLB  Multi-Site  Man¬ 
ager  (MSM)  lacks  IPv6  capabilities.  The  Zeus 
Traffic  Manager  cannot  run  a  dynamic  routing 


protocol  like  OSPFv3,  but  this  is  in  develop¬ 
ment  and  should  be  available  soon. 

Conclusions 

The  transition  to  IPv6  is  already  underway. 
Much  of  your  IPv6  Internet-perimeter  infra¬ 
structure  is  already  IPv6  capable.  Regional 
Internet  registries  have  IPv6  addresses  to 
give  you,  and  your  ISP  may  already  have  IPv6 
Internet  connectivity  ready  for  you. 

Use  of  an  IPv6-capable  reverse  proxy 
server  could  help  accelerate  your  IPv6  Inter¬ 
net  edge  deployment.  If  you  already  own  one 
of  these  systems,  you  have  very  little  capital 
expenditure  to  get  your  organization’s  Web 
applications  to  be  reachable  with  IPv6. 

If  you  own  an  ADC  that  does  not  have  IPv6 
capabilities  then  it  would  be  worth  speaking 
to  your  vendor.  However,  if  your  vendor  has 
not  put  IPv6  on  its  product  development  road 
map,  then  you  are  likely  to  be  purchasing  a 
new  system  to  gain  this  functionality.  Any  of 
the  six  products  in  this  test  will  fit  the  bill.  ■ 

Hogg,  is  director  of  Technology  Solutions  at 
GTRI,  chair  of  the  Rocky  Mountain  IPv6  Task 
Force,  and  author  of  a  Cisco  Press  book  on 
IPv6  security.  He  can  be  reached  at  scott@ 
hoggnet.com. 
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CLEAR  CHOICE  TEST:  CISCO  TABLET 

First  look:  Cisco  Cius 

A  mobile  collaboration  device  that  means  business 

I  E  u 
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BYTOM  HENDERSON 


We  had  a  chance  to  see  the 
Cius  tablet  at  a  Cisco  office 
in  Boston,  and  while  we 
weren’t  able  to  bring  it  back 
to  our  own  lab  and  pound 
on  it,  we  did  get  a  pretty  good  feel  for  what  the 
Cius  is  and  what  it  isn’t. 

First  off,  Cius  is  not  a  consumer  tablet.  In 
fact,  it’s  only  available  through  the  Cisco 
partner  network  at  a  price  of  less  than  $750 
for  the  endpoint  and  less  than  $350  for 
the  media  station,  for  a  total  of  less  than 
$1,100.  In  other  words,  if  you’re  just 
looking  to  read  a  book  on  the  beach,  pick 
up  a  Kindle  Fire  for  $199. 

That’s  not  to  say  you  can’t  use  the  Cius  for 
consumer-oriented  functions,  but  to  get  the 
full  benefit  of  Cius’s  rich  set  of  collaboration 
and  productivity  features,  the  device  should 
to  be  connected  to  Cisco  Unified  Communica¬ 
tions  Manager  (CUCM)  on  the  back  end. 

We  found  that  the  Cius  is  a  carefully 
thought-out  videophone-cum-tablet  end¬ 
point  with  many  best-of-breed  internals,  like 
4G  speed  and  a  docking  station  with  purpose. 

The  Cius  unit  is  based  on  Android,  and  the 
initial  basic  appearance  was  that  of  most  other 
generic  Android  tablets.  Based  on  our  prior 
test  of  enterprise  tablets,  the  Cius  reminded  us 
of  the  Fujitsu  Stylist.  That’s  where  superficial 
comparisons  end,  however,  as  Cius’s  software 
payload,  with  collaborative  emphasis  and 
VoIP/conferencing  accessorizing,  is  huge. 
First,  the  specs. 

The  tablet  size  is  small,  with  a  screen 
size  of  just  7  inches  —  although  it  supports 
1280x600  HD  video  at  30  frames  per  second, 
and  it  weighs  less  than  2  pounds.  It  has  front 
and  backside  cameras,  and  is  powered  by  an 
Intel  Atom  CPU  with  a  gig  of  RAM.  The  Cius 
docking  station  we  saw  had  audio,  and  props 
the  unit  into  an  angled  viewing  position  to 
fulfill  one  of  the  Cisco-stated  missions  of  the 
Cius  unit:  videoconferencing  and/or  VoIP  — 
collaboration  is  the  theme. 

You  get  serious  Wi-Fi,  and  perhaps  AT&T’s 
4G  (technically  3.8G),  although  we  didn’t  get 
to  see  AT&T  connectivity  or  use  it.  Soon,  we 
were  told.  The  display  on  the  videoconferenc¬ 
ing  demo  we  were  shown,  over  a  fast  Wi-Fi 
connection,  was  stunningly  clear. 

Cius’s  compatibility  with  CUCM  means 
you  can  enforce  security  policies  and  man¬ 
age  applications.  You  can  change  the  battery 
in  seconds,  we  found.  Differing  capacities  of 
storage  are  available. 

We  saw  plenty  of  jacks  There’s  a  mini-HDMI 
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jack  that  was  used  to  power  large  screen  dis¬ 
plays  during  our  demo,  a  micro-USB  jack  and 
an  SD  card  jack.  There’s  also  an  Ethernet  jack 
—  something  that’s  missing  from  most  of  the 
“business-focused”  tablets  we’ve  seen  so  far. 

With  all  of  the  jacks,  and  a  memory  port, 
one  questions  if  users  can  access  root  or  vio¬ 
late  policies  that  might  cause  compliance  or 
conformance  problems.  Cisco  was  all  over 
that  question.  Through  Cisco’s  secure  boot 
(not  tested)  and  CUCM,  Cisco  offers  mobile 
device  management  (MDM)  with  lengthy  use 
policies,  giving  administrators  a  lot  of  options. 

Our  hacking  challenge  instincts  were 
twigged.  Could  MDM  controls  be  thwarted? 
On  top  of  Cisco’s  MDM  controls  are  Active- 
Sync  controls  which  join  Outlook  and  Micro¬ 
soft  Exchange  administrative  controls  to  the 
Cius.  There  are,  therefore,  two  ways  to  con¬ 
trol  Cius  user  behavior:  with  Cisco’s  unified 
communications  components  and  Microsoft 
ActiveSync. 

Cius  is  all  about  collaboration,  according  to 
Cisco,  and  the  applications  we  saw  follow  this 
theme.  The  base  Cius  software  load  includes 
Cisco’s  WebEx  application,  along  with  Jab¬ 
ber.  Web  Ex  is  familiar  to  the  corporate  world 
as  a  heterogeneous  operating  systems-com- 
patible  conferencing  application  with  VoIP 
capabilities. 

Jabber  enables  a  chat  client,  which  can  be 
used  with  XMPP  chat  clients  (we  use  Adium 
as  a  base  client)  to  enable  single  IM  or  group 
chat.  The  WebEx  application  sharing  demo 
that  Cisco  set  up  for  us  was  fast.  We  have  no 
idea  whether  it  was  optimized  for  the  demo, 
but  it  looked  good  and  added  voice  and  video 
interaction  successfully. 

Also  included  are  calendar,  email  and 
visual  voice  mail  applications,  although  we 
didn’t  get  a  chance  to  examine  these  thor¬ 
oughly.  With  ActiveSync  added,  the  Cius 


ought  to  be  Outlook/Exchange  compatible, 
but  we  don’t  know  to  what  degree.  Storage  is 
limited  (32GB  of  flash),  but  there  are  external 
storage  capabilities  through  USB  that  might 
assuage  storage  concerns. 

In  the  dock 

The  Cius  docking  station  adds  connectiv¬ 
ity  and  sound.  Tablet  docking  stations  are 
an  approach  that  Motorola  and  others  have 
taken,  although  not  with  much  success.  But 
with  the  Cius,  it’s  almost  mandatory  for  its 
re.  added  functions.  Cisco  therefore  might 
have  more  success  with  a  docking  sta¬ 
lk  tion  in  this  purposefully  collaborative 
mPP  context. 

A  third-party  Bluetooth  keyboard 
was  used  with  the  docking  station  (and  it 
could  be  used  directly,  as  the  Cius  supports 
Bluetooth  3.0),  and  we  found  this  “tethered” 
keyboard  (from  Logitech)  to  be  tenable. 

Unlike  the  Motorola  docking  station,  the 
Cisco  Cius/docking  station  combination  had 
larger  speakers  and  “mini-stereo  system” 
sound.  The  brightness  and  resolution  of  the 
display  made  the  videoconferencing  demon¬ 
stration,  coupled  to  the  docking  station  audio, 
a  compelling  experience. 

The  bundled  software  applications  are 
also  designed  to  manage  contacts  with  on¬ 
screen  push  buttons  to  rapidly  “dial”  or 
choose  participants  for  conversations,  a  bow 
to  the  endless  milieu  of  corporate  business 
meetings  —  but  these  are  online  rather  than 
face-to-face. 

Cius  apps  are  Android  apps,  although 
they’re  accessed  through  a  Cisco  Android 
marketplace  called  AppHQ.  This  walled- 
garden  approach  to  accessing  applications 
allows  administrators  to  impose  constraints. 

We  were  unable,  however,  to  find  any 
application  review  or  security  test  regi¬ 
men  on  Cisco’s  Cius  developer  website  that 
would  restrict  an  “evil”  AppHQ  from  distri¬ 
bution  via  AppHQ. 

Overall 

Cisco  packs  a  lot  of  purpose  into  its  small¬ 
ish  7-inch  tablet.  This  is  not  for  consumers, 
although  all  of  the  typical  tablet  entertain¬ 
ment  apps  will  probably  work— if  they’re 
allowed.  The  Cius  is  a  business-focused 
tablet  that  delivers  mobile  collaboration  for 
enterprises.  ■ 

Henderson  is  managing  director  for 
ExtremeLabs,  of  Bloomington,  Ind. 

Henderson  can  be  reached  at  kitchen-sink@ 
extremelabs.com. 


30  FEBRUARY  13, 2012  www.networkworld.com 


r  Now  with ^ 

Wireless 
< Sensors . 


WHILE  YOU  WERE  OUT 


PROBLEM 


T>£  y 


(?«  <p 


7 


Sensaphone  Remote  Monitoring  Products 

use  redundant  communication  paths,  built  in  battery 
backup,  and  supervised  sensors  to  make  sure  that  when 
something  goes  wrong  in  your  computer  room 
you  qet  the  messaqe.  , - 

'  I  ccmc  a  nuAMC- i: 


Notification  Via: 

•  Voice  Phone  Call  •  E-Mail 

•  Text  Message  •  SNMP  Trap 

•  Pager  •  Fax 


SENSAPHONE  ^ 


i  m  s 


Get  your  FREE  application  guide  now 


SENSAPHONE 

REMOTE  MONITORING  SOLUTIONS 


877-373-2700 

www.sensaphone.com  : 


MARKETPLACE 


Keep  Track  of  Your  Energy  Use  Before.  During  &  After 
with  these  Metered  Power  Strips 


N  P-26024 


24-OUTLET  VERTICAL  MOUNT  POWER  STRIP 
BUILT-IN  POWER  METER 


MS-1917-LCD  I  MS-SL12-RD 


17-OUTLET  19"  RACK  MOUNT  ■  17-OUTLET  19"  RACK  MOUNT 


W/ BUILT-IN  POWER  METER 


P  I 

iHj 


$470  MSRP 

111?  plus  S&H 


148 


MSRP 


plus  S&H 


Desktop  with  Spider 


Network  with  Spider 


Publish  (portable  media) 


Web  with  Spider 


Engine  for  Win  &  .NET 


Engine  for  Linux 


dt  Search* 


- - - - - - ^ 

The  Smart  Choice  for 
Text  Retrieval®  since  1991 


Instantly  Search  Terabytes  of  Text 


Highlights  hits  in  a  wide  range  of  data,  using  dtSearch's 
own  file  parsers  and  converters 

•  Supports  MS  Office  through  2010  (Word,  Excel,  PowerPoint, 
Access),  OpenOffice,  ZIP,  HTML,  XML/XSL,  PDF  and  more 

•  Supports  Exchange,  Outlook,  Thunderbird  and  other 
popular  email  types,  including  nested  and  ZIP  attachments 

•  Spider  supports  static  and  dynamic  web  data  like  ASP.NET, 
MS  SharePoint,  CMS,  PHP,  etc. 

•  API  for  SQL-type  data,  including  BLOB  data 

25+  full-text  and  fielded  data  search  options 

•  Federated  searching 

•  Special  forensics  search  options 


With  dtSearch:  "Endless 
indexing  is  now  a  breeze" 
Computerworld 

"Impressive  searching 
power ...  handles  more 
than  a  terabyte  of  text  in 
a  single  index" 

Network  World 


"Lightning  fast ... 
performance  was 
unmatched  by  any  other 
product" 

Redmond  Magazine 


Ask  about 

fully-functional 

evaluations! 


v 


•  Advanced  data  classification  objects 

APIs  for  C++,  Java  and  .NET  through  4.x 

•  Native  64-bit  and  32-bit  Win  /  Linux  APIs;  .NET  Spider  API 

•  Content  extraction  only  licenses  available 


For  hundreds  more 
reviews  and  developer 
case  studies,  see 
www.dtSearch.com 


www.dtSearch.com  •  i-soo-it-finds 


www.networkworld.com  FEBRUARY,  13  2012 


SPECIAL  FOCUS 


\ 

►  Hadoop ,  from  page  1 

Increasingly,  IT  shops  are  finding  a  place 
for  Hadoop  in  their  data  architecture  plans. 
The  appeal  is  that  Hadoop  can  enable  mas¬ 
sively  parallel  computing  on  inexpensive 
commodity  servers.  Companies  can  collect 
more  data,  retain  it  longer,  and  perform  analy¬ 
ses  that  weren’t  practical  in  the  past  because  of 
cost,  complexity  and  a  lack  of  tools. 

At  Concurrent  Computer,  the  decision  to 
use  Hadoop  was  driven  in  large  part  by  vol¬ 
ume.  “Scalability  was  the  biggest  concern. 
With  a  traditional  relational  database,  every 
time  you  want  to  scale  or  get  bigger,  you  end 
up  paying  a  premium,”  says  Will  Lazzaro, 
director  of  engineering  at  Concurrent,  which 
provides  video-on-demand  systems  and 
processes  billions  of  records  a  day  related  to 
viewers,  content  consumption  and  platform 
operations. 

Playing  with  big  data 

Hadoop  lets  enterprises  store  and  process 
data  they  previously  discarded  —  log  files,  for 
example  —  because  it  was  too  hard  to  process 
and  didn’t  fit  cleanly  into  traditional  database 
schemas.  That’s  the  crux  of  so-called  big  data, 
says  Matt  Aslett,  research  manager  at  451 
Research. 

In  addition  to  being  scalable,  Hadoop 
computing  systems  are  flexible.  Hadoop  is 
schema-less,  which  lets  users  join  and  aggre¬ 
gate  data  from  disparate  sources  for  more 
complex  analyses.  New  nodes  can  be  added  as 
needed,  and  Hadoop’s  built-in  fault  tolerance 
features  allow  the  system  to  redirect  work  to 
another  location  if  a  node  is  lost. 

“That  schema- less  approach,  which  lets  you 
just  store  the  data  and  then  figure  out  what 
you  want  to  do  with  it,  is  much  more  appro¬ 
priate  for  unstructured  and  semi-structured 
data  like  Web  log  data,  as  well  as  for  data  that 
you  know  has  value  for  the  organization,  but 
you  may  need  to  do  some  experimentation 
to  figure  out  what  that  value  is,”  Aslett  says. 
“The  cost  of  doing  that  in  an  enterprise  data 
warehouse  would  just  be  prohibitive.” 

Return  Path,  an  email  certification  and  rep¬ 
utation  monitoring  company,  started  experi¬ 
menting  with  Hadoop  in  2008,  attracted  by 
its  enormous  storage  potential  and  the  ability 
to  easily  scale  the  platform  by  adding  servers. 
Return  Path  collects  massive  amounts  of  data 
from  ISPs  and  analyzes  it  to  establish  email 
sender  reputations,  pinpoint  deliverability 
issues  or  monitor  potentially  harmful  mes¬ 
sages,  for  instance. 

In  the  early  days,  signing  on  a  new  ISP  or 
two  could  result  in  a  quadrupling  of  its  data. 
The  company  found  itself  in  a  position  where 
it  couldn’t  keep  data  as  long  as  it  wanted 
to,  nor  could  it  process  the  data  as  fast  as  it 


is  hot 

Askills  shortage,  influx  of  venture 
capital,  and  proliferation  of  Hadoop 
distributions  show  Hadoop's 
increasingly  mainstream  popularity. 

#7  hot  Job 

Hadoop  is  the  seventh  fastest 
growing  keyword  found  in 
Indeed’s  online  job  postings. 

23  distributions 

Apache  lists  23  products  that 
include  Hadoop  or  derivative 
works  and  commercial  support. 

653 jobs 

A  key  wo  research  for  Hadoop 
turns  up  653  jobs  on  Dice.com 

9  petabytes 

eBay  has  9  petabytes  of  data  in  its 
Hadoop  and  Teradata  clusters 

$100  million 

Accel  Partners  unveiled  its 
$100  million  big  data  fund  during 
a  keynote  at  Hadoop  World. 


wanted  to,  recalls  CTO  Andy  Sautins.  Over 
the  years,  he  and  his  team  tried  a  few  custom 
solutions  to  augment  the  company’s  tradi¬ 
tional  enterprise  data  warehouse.  “These 
worked  fairly  well  but  required  much  more 
time  and  investment  in  software  development 
than  made  sense,”  Sautins  says. 

Hadoop  was  a  game-changer.  “It  let  us 
change  the  conversation  around  what  it 
meant  to  retain  data.  It  wasn’t  in  terms  of 
weeks,  it  was  years,”  Sautins  says. 

Moving  out  of  the  shadows 

Apache  Hadoop  includes  two  main  subproj¬ 
ects:  the  Hadoop  Distributed  File  System 
(HDFS),  which  provides  high-throughput 
access  to  application  data,  and  Hadoop 
MapReduce,  which  is  a  software  framework 
for  distributed  processing  of  large  data  sets  on 
compute  clusters.  It’s  augmented  by  a  grow¬ 
ing  group  of  Apache  projects,  such  as  Pig, 
Hive  and  Zookeeper,  that  extend  its  usability. 

Hadoop’s  emergence  as  an  enterprise 
platform  mirrors  in  many  ways  the  arrival 
of  Linux:  Deployments  were  preceded  by 
shadow  IT  projects,  or  skunk  works,  to  test 
the  merits  of  the  software  before  adopting  it 


on  a  wider  scale. 

Adoption  is  growing  largely  through 
developers,  Aslett  says.  “It’s  just  as  we  saw 
Linux  move  in  to  enterprises  through  the  IT 
department  and  internal  projects,  when  the 
CEO/CIO  didn’t  necessarily  know  that  it  was 
in  there." 

The  emergence  of  vendors  with  commer¬ 
cial,  enterprise-oriented  Hadoop  distribu¬ 
tions  —  including  support,  management  tools 
and  configuration  assistance  —  has  further 
accelerated  adoption  in  the  enterprise  realm. 
Key  players  in  this  arena  are  Cloudera,  MapR 
Technologies  and  Hortonworks,  which  was 
spun  out  of  Yahoo  last  year  to  develop  its  own 
distribution  of  Hadoop. 

Concurrent  uses  the  Cloudera  CDH  plat¬ 
form.  Return  Path  started  working  with 
MapR’s  commercial  distribution  last  year, 
which  boosted  performance  roughly  2.5-  to 
three-times,  Sautins  says. 

Along  with  multiplying  options  for  com¬ 
mercial  Hadoop  distributions,  there  are  other 
signs  the  open  source  platform  is  gathering 
steam.  Venture  capital  is  flowing,  and  new 
startups  with  management  add-ons  and  ana¬ 
lytic  applications  are  appearing  at  a  dizzying 
pace.  It’s  also  getting  increasing  attention 
from  traditional  data  management  players  — 
including  IBM,  Oracle,  Microsoft  and  EMC 
—  eager  to  cash  in  on  the  action. 

Hadoop  makes  it  easier  to  process  big  data, 
but  it’s  no  cure-all.  One  common  challenge 
for  enterprises  is  how  to  choose  the  most 
appropriate  technology  to  handle  different 
kinds  of  data. 

“There’s  still  a  lot  of  confusion  about  what 
applications,  what  workloads,  should  be  on 
Hadoop  vs.  those  that  should  be  in  a  tradi¬ 
tional  enterprise  data  warehouse,”  Aslett  says. 
“Unfortunately  at  this  point,  there  aren’t  any 
easy  answers  for  that.” 

Another  challenge  that  will  only  heighten 
as  Hadoop  heads  for  the  mainstream  is 
finding  people  to  work  with  the  technology. 
“There’s  a  lack  of  skills,  and  that’s  definitely  a 
challenge  in  terms  of  the  continued  adoption 
of  Hadoop,”  Aslett  says. 

“If  you  go  out  there  and  try  to  hire,  it’s 
incredibly  difficult,”  acknowledges  Omer 
Trajman,  vice  president  of  customer  solu¬ 
tions  at  Cloudera.  A  more  feasible  approach  is 
to  look  internally  for  candidates  ripe  to  learn 
Hadoop,  he  suggests. 

On  the  positive  side,  as  awareness  of 
Hadoop  grows,  the  number  of  IT  pros  learn¬ 
ing  Hadoop  is  growing,  too. 

“Every  time  I’ve  talked  to  a  recruiter  for  the 
last  two  years,  I’ve  asked  if  they  have  anybody 
with  Hadoop  experience.  Usually  the  answer 
was  ‘ha-what?’  Increasingly  it’s  maturing,  so 
you  are  seeing  more  people  in  the  field,”  Laz¬ 
zaro  says.  ■ 
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HR  1981,  the  jaws  of  law  will  eat  your  Internet 


YOU  REMEMBER  in  “Jaws”  where  a  girl  is 
swimming  in  the  ocean  and  the  music  starts 
playing  (“dun-dun,  dun-dun,  dun-dun ...")? 
You  know  what’s  going  to  happen  ...  at  the  last  moment  she  sees  the 
shark’s  fin  and,  “eeeekkkkkkkkk!” ...  too  late!  CHOMP! 

Well,  that’s  sort  of  the  way  things  are  shaping  with  a  bill  that  has 
implications  just  as  worrying  as  the  two  recently  squashed  but  not  yet 
truly  dead  bills,  Stop  Online  Piracy  Act  (SOPA)  and  Protect  Intellec¬ 
tual  Property  Act  (PIPA),  that  I  sliced  and  diced  a  couple  of  weeks  ago. 

The  sea  in  this  horror  movie  is  once  again  the  Internet,  the  swimmer 
is  you  and  me  and  all  U.S.  Internet  users,  and  the  shark  is  called  the 
Protecting  Children  From  Internet  Pornographers  Act  of  2011. 

The  problem  with  this  bill  lays  not  in  its  core  intentions,  to  provide  a 
framework  in  which  to  define,  prosecute  and  punish  online  child  por¬ 
nography.  Quite  obviously  that  is  a  hugely  important  topic  and  one 
that  needs  to  be  addressed.  The  problem  is  in  its  implementation  and 
unintended  consequences. 

Sponsored  by  the  out-of-touch  and  uninformed  Rep.  Lamar  Smith 
(R-Texas),  who  was  also  the  lead  sponsor  of  SOPA  (“eeeeeekkkkkk”), 
the  bill,  HR  1981,  was  introduced  last  year  to  broad  condemnation  by 
pretty  much  anyone  with  a  clue  about  the  online  world  (the  American 
Civil  Liberties  Union,  The  Electronic  Frontier  Foundation  and  The 
American  Library  Association  were  particularly  vocal). 

Alas,  people  with  a  clue  are  apparently  not  among  the  39  co-spon¬ 
sors  of  the  bill,  which  was  passed  by  House  Judiciary  Committee  on 
Dec.  16  and  placed  on  the  Union  Calendar.  That  may  not  sound  impor¬ 
tant,  but  according  to  several  sources,  including  The  Next  Web,  this 


means  the  bill  has  been  given  what  is  called  “expedited  consideration,” 
which  puts  it  on  a  fast  track  to  being  passed! 

So,  what’s  so  bad  about  the  Protecting  Children  From  Internet  Por¬ 
nographers  Act  of  2011?  Well,  hidden  among  the  good  provisions  is 
the  requirement  that  “A  commercial  provider  of  an  electronic  commu¬ 
nication  service  shall  retain  for  a  period  of  at  least  one  year  a  log  of  the 
temporarily  assigned  network  addresses  the  provider  assigns  to  a  sub¬ 
scriber  to  or  customer  of  such  service  that  enables  the  identification  of 
the  corresponding  customer  or  subscriber  information ...” 

What  the  proposed  legislation  wants  is  for  your  ISP  to  keep  detailed 
records  of  the  IP  addresses  assigned  to  you  so  if  you  are  suspected  of 
being  a  bad  guy,  your  past  activities  can  be  reviewed. 

Apart  from  the  obvious  violation  of  our  constitutional  rights,  the 
thing  that  should  have  us  all  worried  is  the  almost  guaranteed  abuse 
of  the  tracking  data  that  will  occur.  Just  consider  how  easily  cellphone 
providers  have  been  known  to  give  in  to  cellphone  tracking  requests. 

The  biggest  problem  with  HR  1981  is  that  very  few  of  its  sponsors 
really  understand  the  bill’s  implications.  One  of  its  few  vocal  oppo¬ 
nents,  Rep.  Zoe  Lofgren  (D-Calif.),  renamed  the  bill  the  “Keep  Every 
American’s  Digital  Data  for  Submission  to  the  Federal  Government 
without  a  Warrant  Act,”  which  is  exactly  the  problem. 

Be  warned  (“dun-dun,  dun-dun ...”)  this  bill  is  relentlessly  slicing 
through  the  legislative  process  and,  if  it  passes,  it  will  eat  up  even  more 
of  our  liberties  (“eeeekkkkkkkkk!”).  S 

Gibbs  is  treading  water  in  Ventura,  Calif.  Tell  backspin@gibbs.com  if 
you  can  see  the  threat. 
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In-flight  Wi-Fi,  missing  science  and  a  survey 
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AT  FIRST  blush,  it’s  another  one  of  those, 
“Sure,  it  will  happen  ...  eventually,”  type  of 
situations.  I  mean  does  anyone  envision 
a  commercial  air  fleet  without  readily  available  Internet  service  20 
years  down  the  runway? 

That  seems  unlikely,  yet  efforts  to  get  such  service  off  the  ground 
have  produced  spotty  results,  with  one  report  saying  7%  of  U.S.  pas¬ 
sengers  availed  themselves  of  in-flight  Wi-Fi  last  year,  perhaps  because 
it’s  still  only  available  on  16%  of  airplanes. 

“The  7%  isn’t  too  bad,”  said  Amy  Cravens,  an  analyst  at  In-Stat,  in 
an  interview  with  Computerworld.  She  noted  that  was  up  from  4%  in 
2010.  “However,  the  service  isn’t  profitable  at  these  levels,  so  everyone 
is  hoping  it  improves.” 

It  will.  But  it’s  not  as  though  the  technology  has  just  appeared;  it’s 
been  around  about  a  decade.  So  I’m  thinking  that  there’s  more  than 
just  availability  and  high  prices  holding  usage  back. 

Maybe  more  people  than  will  admit  it  actually  welcome  a  couple  of 
hours  of  being  disconnected. 

Matchmaking  sites  short  on  the  science? ...  Get  out. 

A  group  of  bitter,  bitter  researchers  has  chosen  this  generally  joyous 
run-up  to  the  holy  day  of  romance  to  issue  “a  sweeping  review  of  sci¬ 
entific  studies”  that  allegedly  shows  dating  sites  such  as  Match.com 
and  eHarmony  fail  to  apply  to  their  matchmaking  the  same  scientific 
rigor  normally  associated  with,  say,  astrology. 

From  an  IDG  News  Service  story:  “Companies  have  not  made  their 
algorithms  [for  matching  potential  mates]  available  to  the  public,  nor 


even  to  regulatory  authorities.  Nobody  knows  what  the  algorithms 
are,”  said  Harry  Reis,  a  professor  at  the  University  of  Rochester.  “ 
It  is  certainly  possible  they  have  some  magic  formula  no  one  has 
looked  at  that  could  in  fact  be  effective.  However,  there  is  no  evidence 
for  that.” 

In  other  words,  it’s  like  the  eTrade  baby  telling  the  guy  who’s  build¬ 
ing  his  retirement  account  using  scratch  tickets:  “You  realize  that  the 
odds  of  winning  are  the  same  as  being  mauled  by  a  polar  bear  and  a 
regular  bear  in  the  same  day?” 

Yes,  I’m  being  overly  harsh  and  these  sites  undoubtedly  have  saved 
many  a  lonely  heart. 

Another  study  shows  vendors  think  we’re  stupid 

Time  for  a  pop  quiz.  The  press  release  reads: 

“A  data  center  industry  index,  the  result  of  a  survey  by  [Vendor  X] 
reveals  that  cost  savings  and  scalability  are  prompting  more  data  cen¬ 
ter  owners  and  c-suite  technology  executives  to  consider  [this  type  of] 
data  center  solutions. 

“The  first  ‘Mission  Critical  Annual  Index’  indicates  that  85%  of  par¬ 
ticipants  would  consider  [this  type  of]  solution  in  building  their  next 
data  center,  with  most  of  that  group  —  just  over  75%  —  citing  cost  and 
flexibility  as  key  drivers  in  that  decision.” 

Now  what  type  of  “solutions”  do  you  suppose  Vendor  X  sells?  (I  see 
all  of  you  have  your  hands  raised.) 

Yes,  of  course,  it’s  this  type.  ■ 

Alternative  answers  should  be  sent  to  buzz@nww.com. 
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SIMPLIFY 

your  move  to  the  cloud ,  virtualization , 
and  big  everything  with 
HP  Converged  Storage. 


Reduce  cost  and  speed  deployment  with  the 
power  of  server  and  storage  convergence. 


With  HP  storage,  you  can: 

•  Get  your  storage  up  and  running  up  to  40%  faster" 

•  Reduce  administration  time  by  up  to  90%* 

Whether  you're  deploying  a  cloud,  virtualizing  your  data 
center,  modernizing  your  applications,  or  preparing  to 
deal  more  efficiently  with  data  archiving,  be  prepared 
for  what's  next  with  HP  Converged  Storage— storage 
without  boundaries. 


See  how  HP  storage  can  eliminate  boundaries 
between  storage  and  the  rest  of  IT.  Watch  the  video 

now  at  hp.com/storage/3CI 
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Powerful. 

Intelligent. 


Or,  scan  this  QR 
code  with  your 
mobile  device. 


HP  Converged  Storage  solutions 
powered  by  Intel®  Xeon®  processors 


*For  details  on  claim  substantiations, 
visit  hp.com/storage/3CI 

©  Copyright  2012  Hewlett-Packard  Development  Company,  L.P. 
The  information  contained  herein  is  subject  to  change  without 
notice.  The  only  warranties  for  HP  products  and  services  are  set 
forth  in  the  express  warranty  statements  accompanying  such 
products  and  services.  Nothing  herein  should  be  construed  as 
constituting  an  additional  warranty.  HP  shall  not  be  liable  for 
technical  or  editorial  errors  or  omissions  contained  herein. 

Intel,  the  Intel  logo,  Xeon,  and  Xeon  Inside  are  trademarks 
or  registered  trademarks  of  Intel  Corporation  in  the  U.S. 
and/or  other  countries. 
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A  New  Year,  A  New  Leader,  A  Clear  Choice 


Palo  Alto  Networks™  Named  Leader  in  Gartner® 
Magic  Quadrant  for  Enterprise  Network  Firewalls 


According  to  Gartner,  vendors  in  the  leaders  quadrant  "lead  the  market  in  offering 
new  safeguarding  features,  providing  expert  capability,  rather  than  treating  the 
firewall  as  a  commodity,  and  having  a  good  track  record  of  avoiding  vulnerabilities 
in  their  security  products." 


Get  an  exclusive  report  at:  www.paloaltonetworks.com  or  scan  QR  code  below. 
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